Azure Container Instances and Key Vault RRS feed

  • Question

  • Hello There,

    I was recently chatting with the Azure Support who redirected me here. I would like to access the key vault service from a container instance (without having to inject azure credentials into the code).

    For this, I found this tutorial:
    azure dot microsoft dot com/en-us/resources/samples/key-vault-node-getting-started

    I wanted to slightly modify this tutorial to have it work with azure container instances instead of an `appservice`. My steps are below:

    az container create --resource-group test --name dexta-ws --image myImage --cpu 1 --memory 1 --registry-login-server myRegistryName --registry-username myRegistry --registry-password myPassword --dns-name-label myContainerName --ports 80 --environment-variables 'STAGE'='this_stage' 'PORT'='80' --assigned-identity

    az keyvault set-policy --name 'myKeyVault' --object-id <principal-identity-received-from-command-above> --secret-permissions get

    Then again
    az container create ...

    and finally
    az container logs --resource-group myResourceGroup --name myContainerName

    The logs show the following error:
    Error: Either provide "msiEndpoint" as a property of the "options" object or set the environment variable "MSI_ENDPOINT" and it must be of type "string".

    Which appears at this line in the code running in the container: github dot com slash Azure-Samples/key-vault-node-quickstart/blob/master/index.js#L13

    I don't know how to go from there, searching on the web did not lead to any answers so far. Help is appreciated!


    Tuesday, September 10, 2019 9:56 AM

All replies

  • Hello d60066,

    Thanks for reaching out! As you are aware, the tutorial that you followed is tailored to use with Azure Web Apps.

    The one for Azure Container Instances is detailed here:

    How to use managed identities with Azure Container Instances

    Please give this a try and let us know if you still run into issues.

    Hope this helps!

    Tuesday, September 17, 2019 11:02 AM
  • Hi BhargaviAnnadevara-MSFT,

    Thanks for the link; yes I am well aware of it and should have posted it within my question. Actually you can recognize the commands I tried as the ones described in the tutorial you linked.

    However the Azure Container Instances tutorial does not exemplifies the use case I need, given in 'key-vault-node-getting-started'. That is why I posted the error message, in the hope that someone could point me to the missing step (which hopefully does not involve manually getting an access token with limited lifespan).



    Thursday, September 19, 2019 7:42 AM
  • Hello Yoann,

    Have you tried setting the MSI_ENDPOINT environment variable manually?

    Tuesday, September 24, 2019 9:07 AM
  • Hello Yoann, Just following up to check if there's any update here.
    Friday, October 4, 2019 2:53 AM
  • Hi BhargaviAnnadevara-MSFT,

    No I did not try to set the MSI_ENDPOINT environment variable. Looking into the Node.js SDK, I found the place where this error is thrown, as well as what kind of other environment variables need to be there. In particular, MSI_SECRET. Of course, I do not know the MSI_SECRET, as it would defeat the purpose of key-vault.

    We stopped trying to use key-vault as we had to move forward.

    Friday, October 4, 2019 8:02 AM