I'm trying to deploy my app to Azure App Service for Containers, using the docker-compose preview. The deployment configuration is as follows:
version: "3.7"
services:
auth:
image: myorg/myimage
environment:
- MyOrg__Hosting__PathBase=/auth
- ASPNETCORE_FORWARDEDHEADERS_ENABLED=true
- ConnectionStrings__AuthenticationDatabase
# other services not important for this question
Within that deployment, I need to access Azure Key Vault, with which I have integrated my app via the Key Vault Configuration provider, as per the documentation:
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault(
$"https://{builtConfig["KeyVault:Name"]}.vault.azure.net/",
keyVaultClient,
DefaultKeyVaultSecretManager());
My Azure Key Vault has the appropriate access policy set, and from the Kudu pages it seems that the MSI_ENDPOINT and MSI_SECRET environment variables have been set in the runtime environment. However, the Key Vault configuration provider repeatedly fails to connect to Key Vault with the error:
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. 2020-02-21T18:27:27.024474350Z Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. 2020-02-21T18:27:27.024479550Z Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. 2020-02-21T18:27:27.024483550Z Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. No such file or directory
The first of those three methods clearly indicates that MSI is not available for some rean.
I've added a manual request for debugging purposes taken from the documentation on Managed Identities:
public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)
{
HttpClient client = new HttpClient();
var msiEndpoint = Environment.GetEnvironmentVariable("MSI_ENDPOINT") ?? "MSI_ENDPOINT is not set!";
Log.Logger.Debug("MSI_ENDPOINT is {MsiEndpoint}", msiEndpoint);
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", msiEndpoint, resource, apiversion));
}
and I can clearly see in my application logs the line MSI_ENDPOINT is - so it's set, but empty or whitespace. This is supported by the InvalidOperationException thrown by the debugging request, stating that "An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set."
I've tried disabling and re-enabling the system-assigned identity, restarting my App Service, and triple-checking the Key Vault access policies, all to no avail. At this point, I think I can only assume that the MSI_* environment variables aren't being passed on to the container(s) by the runtime, and I'm not sure why that would be.
Update: I have now also tried listing the MSI_* environment variables in the environment map in my docker-compose config, and that also didn't have any effect.
