Azure Container Instance Managed (User Assigned) Identity not able to fetch Keyvault secrets

0
votes

  1. Created a User Assigned Managed Identity Azure Resource

  2. I deployed the Container Group with User Managed Identity as shown below: image

  3. Provided access to User Identity for a given Keyvault

  4. Now when I am trying to access the keyvault using the following C# code, its throwing exception:

image

Exception Error loading KV settings:: One or more errors occurred. (Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. )

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

1
azureazure-keyvaultazure-container-instancesazure-managed-identity
Try to modify the first line of your code to var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={ClientId of user-assigned identity}");.Joy Wang-MSFT
@JoyWang: Now getting a different error: One or more errors occurred. (Parameters: Connection String: RunAs=App;AppId=XXXXXX, Resource: vault.azure.net, Authority: login.windows.net/XXXXXX. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.)Dadwals
Just to add more context I am Creating the ACI Container Group on the Fly (i.e. the User Assigned MI is also attached at the time of creation) and container code run after that immediately. Do you think I need to put some delay in calling the keyvault here (because may be the resource are just warming up or something)?Dadwals

1 Answers

0
votes

Putting a delay of 10 seconds before accessing keyvault solved the problem.