I am trying to set up a Azure webapp service (uses docker) to access my keyvault using a user manged identity. I have setup up a user managed identity, assigned it to my webapp and gave it the access policies that it will need in the keyvault I am testing it on (see abbreviated settings below).
In the webapp application settings, I have have included a setting for AZURE_CLIENT_ID that I have set to the the client id of my user managed identity and it is being injected into the environmental variables.
My app is node and I am using DefaultAzureCredential from the @azure/identity npm package:
const credential = new DefaultAzureCredential();
I also tried:
const credential = new DefaultAzureCredential({managedIdentityClientId: '27455443-73e6-4386-aef2-05c8be5586af'});
From everything that I can see it should be working, but I always get the following error back:
AuthenticationError: ManagedIdentityCredential authentication failed.(status code 400).
More details:
unknown_error(status code 400).
More details:
An unknown error occurred and no additional details are available.
at ManagedIdentityCredential.<anonymous> (/usr/src/app/node_modules/@azure/identity/dist/index.js:1077:23)
at Generator.throw (<anonymous>)
at rejected (/usr/src/app/node_modules/tslib/tslib.js:112:69)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
Any advice would be greatly appreciated.
App service identity setting (abbreviated):
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/f3f6b1b3-6e32-4fe1-ac75-41f1b2c8731f/resourcegroups/keyVaultAccess/providers/Microsoft.ManagedIdentity/userAssignedIdentities/accesstokeyvault": {
"principalId": "46eeaff7-d686-4a07-8471-90a6f892a1b4",
"clientId": "27455443-73e6-4386-aef2-05c8be5586af"
}
}
},
Keyvault access policy (abbreviated):
{
"tenantId": "26332e31-5b20-48a7-b449-cdae84c6c7df",
"objectId": "46eeaff7-d686-4a07-8471-90a6f892a1b4",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
},
User managed identity:
"contentVersion": "1.0.0.0",
"parameters": {
"userAssignedIdentities_accesstokeyvault_name": {
"defaultValue": "accesstokeyvault",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[parameters('userAssignedIdentities_accesstokeyvault_name')]",
"location": "westus"
}
]
}