locked
Managed Service Identity Issue RRS feed

  • Question

  • I have a new ASP.NET Core 2.1.1 web app that I have coded to read sensitive appsettings from Azure Key Vault. I thought I had everything setup and working as while developing on my local machine all works as it should reading the values from the key vault with the below code in the ASP.NET Core Program.cs file.

    Web site code to connect to Azure key Vault.

    public class Program
        {
            public static void Main(string[] args)
            {
                CreateWebHostBuilder(args).Build().Run();
            }
    
            public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
                WebHost.CreateDefaultBuilder(args)
                    .ConfigureAppConfiguration((ctx, builder) =>
                    {
                        var keyVaultEndpoint = GetKeyVaultEndpoint();
                        if (!string.IsNullOrEmpty(keyVaultEndpoint))
                        {
                            var azureServiceTokenProvider = new AzureServiceTokenProvider();
                            var keyVaultClient = new KeyVaultClient(
                                new KeyVaultClient.AuthenticationCallback(
                                    azureServiceTokenProvider.KeyVaultTokenCallback));
                            builder.AddAzureKeyVault(
                                keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
                        }
                    })
                    .UseStartup<Startup>();
    
            private static string GetKeyVaultEndpoint() => Environment.GetEnvironmentVariable("KEYVAULT_ENDPOINT");
        }

    As you can see the Azure Key Vault endpoint is read from an Environment variable within Visual Studio 2017. All seems well in development. But I have now used VSTS to deploy the web site to my web app service in my testing slot. The application fails to start because it throws an exception trying to authenticate using Managed Service Identity for the slot. If I look at the Managed Service Identity blade for the Production slot MSI is turned on but the web site code in production is old code and does not use MSI. But if you look at the Test slot which is where I have deployed the new web site for testing. MSI is not turned on and I am unable to turn it on. If I try to flip testing MSI blade to on it runs for about 15 minutes and does not enable MSI.  Which I guess is what is causing the new web app that is deployed to Test slot to fail with an error of "Azure app service HTTP Error 502.5 - Process Failure" and give me the following error. Is there someone out there that can help with this issue, please?

    Error in KUDU log file for application

    <Data>Application: dotnet.exe
    CoreCLR Version: 4.6.26628.5
    Description: The process was terminated due to an unhandled exception.
    Exception Info: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/e2f2ed24-d7aa-4886-b592-50860f7e864c. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
    Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/e2f2ed24-d7aa-4886-b592-50860f7e864c. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
    Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/e2f2ed24-d7aa-4886-b592-50860f7e864c. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
    Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/e2f2ed24-d7aa-4886-b592-50860f7e864c. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
    operable program or batch file.
    
    
       at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsyncImpl(String authority, String resource, String scope)
       at Microsoft.Azure.KeyVault.KeyVaultCredential.PostAuthenticate(HttpResponseMessage response)
       at Microsoft.Azure.KeyVault.KeyVaultCredential.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
       at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretsWithHttpMessagesAsync(String vaultBaseUrl, Nullable`1 maxresults, Dictionary`2 customHeaders, CancellationToken cancellationToken)
       at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretsAsync(IKeyVaultClient operations, String vaultBaseUrl, Nullable`1 maxresults, CancellationToken cancellationToken)
       at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.LoadAsync()
       at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load()
       at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
       at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
       at Microsoft.AspNetCore.Hosting.WebHostBuilder.BuildCommonServices(AggregateException&amp; hostingStartupErrors)
       at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
       at OrgbratBlog.Program.Main(String[] args) in D:\a\1\s\src\OrgbratBlog\Program.cs:line 20
    </Data>

    Orgbrat


    Thursday, July 26, 2018 6:13 PM

Answers

  • Hi Ajay,

           Thanks for informing me that the Managed Identity Service does not work with Azure Deployment Slots. After researching your suggested threads, I made code changes that looks for the existence of the  Environment Variable, if found it will use MSI and if not found it will use the standard method of connecting to the Key Vault with supplied Client values.  I do have one question though. If I understand everything I have seen Managed Identity Service does work with the Production (primary) slot so this should all work when I swap the staging slot into my production slot? Is that correct? Again thanks as you saved me a bunch of work determining would was wrong with my test slot.

    By the way the test slot is working with the new code. Have some other issues I need to work on but at least it will run now. Guess this is a good use of slots...  :)

    Orgbrat

    • Marked as answer by Orgbrat Friday, July 27, 2018 3:34 PM
    Friday, July 27, 2018 3:34 PM

All replies

  • As mentioned in this document Managed Service Identity , the managed service identity only works inside the Azure environment, and only in the App Service deployment in which you configured it. Note that managed service identities do not work with App Service deployment slots at this time.

    Checkout this discussion thread for more details.

     

    Also, you may wish to check these documents for more details on this topic:  

    Set up staging environments in Azure App Service

    How to use Azure Managed Service Identity in App Service 

    Friday, July 27, 2018 6:17 AM
    Owner
  • Hi Ajay,

           Thanks for informing me that the Managed Identity Service does not work with Azure Deployment Slots. After researching your suggested threads, I made code changes that looks for the existence of the  Environment Variable, if found it will use MSI and if not found it will use the standard method of connecting to the Key Vault with supplied Client values.  I do have one question though. If I understand everything I have seen Managed Identity Service does work with the Production (primary) slot so this should all work when I swap the staging slot into my production slot? Is that correct? Again thanks as you saved me a bunch of work determining would was wrong with my test slot.

    By the way the test slot is working with the new code. Have some other issues I need to work on but at least it will run now. Guess this is a good use of slots...  :)

    Orgbrat

    • Marked as answer by Orgbrat Friday, July 27, 2018 3:34 PM
    Friday, July 27, 2018 3:34 PM
  • When you clone configuration from another deployment slot, the cloned configuration is editable. Some configuration elements will follow the content across a swap (not slot specific) while other configuration elements will stay in the same slot after a swap (slot specific). Currently, the managed service identities do not work with App Service deployment slots(sticky).

     

    Glad to know the test slot is working with the new code. Do let us know if you need any further assistance on this specific topic.

    Saturday, July 28, 2018 7:27 AM
    Owner
  • Hi Ajay Kumar... I'm also facing the similar kind of issue.. In my service i have trying to get the data from azure active directory by using Graph API by mentioning the all the client id secret key ,tenant id in web.config file . but when i tried to implement the key vault for my service which i'm end of with exception . Below is the exception 

    Exception Message: Tried the following 4 methods to get an access token, but none of them worked. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.Parameters: 

    public class UserKeyVaultHelper
    
        {
    
            // This method retrieves the secret from Netsuite Key Vault.
    
            public async Task<string> GetCredentialsFromAzureNetsuiteKeyVault(string keySecret)
    
            {
    
                var azureServiceTokenProvider = new AzureServiceTokenProvider();
    
                var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
    
                var secret = awaitkeyVaultClient.GetSecretAsync(ConfigurationManager.AppSettings["UserdataKeyVault"] + keySecret).ConfigureAwait(false);
    
                return secret.Value.ToString();
    
            }
    
        }

    I'm getting the error while retrieving the values from key vault.

    Thanks In Advance 

    Hari Ankasala

    Tuesday, March 12, 2019 9:40 PM
  • @Hari, Could you please confirm if you’re leveraging Key Vault with Azure App Service deployment slots, if yes, as mentioned in the currently managed service identities do not work with App Service deployment slots. Else, requesting you to just re-post the question on Azure Key vault forum for receiving expert insights from the right set of audience.

    Friday, March 15, 2019 6:47 PM
    Owner