Unable to access Azure Vault from Azure Container Instance using System assigned identity

1
votes

I am not able to access vault from Azure Container Instance deployed into a private network with system managed identity. My code works fine if i use a service principal to access vault , by pass the environment variable to the container.

https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate?tabs=bash

my code: 

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

keyVaultName = 'XXXXXXX'
KVUri = "https://" + keyVaultName + ".vault.azure.net"

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

def secretVal(name):
    logging.debug("Retriving the secret from vault for %s", name)
    val = client.get_secret(name)
    return val.value

error 

2020-05-21:02:09:37,349 INFO     [_universal.py:412] Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token'
2020-05-21:02:09:37,349 INFO     [_universal.py:413] Request method: 'GET'
2020-05-21:02:09:37,349 INFO     [_universal.py:414] Request headers:
2020-05-21:02:09:37,349 INFO     [_universal.py:417]     'Metadata': 'REDACTED'
2020-05-21:02:09:37,349 INFO     [_universal.py:417]     'User-Agent': 'azsdk-python-identity/1.3.1 Python/3.8.3 (Linux-4.15.0-1082-azure-x86_64-with-glibc2.2.5)'
2020-05-21:02:09:37,352 DEBUG    [connectionpool.py:226] Starting new HTTP connection (1): 169.254.169.254:80
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/default.py", line 105, in get_token
    return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/chained.py", line 71, in get_token
    raise ClientAuthenticationError(message=error_message)
azure.core.exceptions.ClientAuthenticationError: No credential in this chain provided a token.
Attempted credentials:
        EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables
        ImdsCredential: IMDS endpoint unavailable

The issue seems to something similar to the below.

https://github.com/Azure/azure-sdk-for-python/issues/8557

i tried pausing my code for the metadata service to be available using the below while creating the instance. But it still doesn't work.

--command-line "/bin/bash -c 'sleep 90; /usr/local/bin/python xxxx.py'"

1
pythonazureazure-container-instancesazure-managed-identity
it looks like usage of managed identities in container instances deployed to private network is not supported ?github.com/MicrosoftDocs/azure-docs/blob/master/articles/…Pradeep

1 Answers

1
votes

Unfortunately, the managed identity of the Azure Container Instance does not support when you create it in the virtual network. See the limitations:

You can't use a managed identity in a container group deployed to a virtual network.

The ACI in the virtual network is a preview version currently. All the limitations are shown here. So when it's in the Vnet, use the service principal to authenticate, it's similar to the Managed identity, just display in different styles.