Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.

[yashpalslathia21]

I am using using azure-identity library with version 1.12.0.
I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster.
Following is the snippet of code I am using -

DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();

    AccessToken accessToken = managedIdentityCredentialUserAssigned
            .getToken(new TokenRequestContext().setTenantId(tenantId)).block();
    String token = accessToken.getToken();
    logger.info("token : {}", token);

Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity.
managedIdentityCredentialUserAssigned.getToken() is throwing following error -

2024-05-09 06:07:41.760 [main] [DEBUG] com.azure.core.implementation.ReflectionUtils - Attempting to use java.lang.invoke package to handle reflection.
2024-05-09 06:07:41.763 [main] [DEBUG] com.azure.core.implementation.ReflectionUtils - Successfully used java.lang.invoke package to handle reflection.
2024-05-09 06:07:41.771 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-09 06:07:41.772 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => ERROR in EnvironmentCredential: Failed to create a ClientSecretCredential or ClientCertificateCredential. Missing required environment variable either AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH
2024-05-09 06:07:41.773 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => ERROR in EnvironmentCredential: Failed to determine an authentication scheme based on the available environment variables. Please specify AZURE_TENANT_ID and AZURE_CLIENT_SECRET to authenticate through a ClientSecretCredential; AZURE_TENANT_ID and AZURE_CLIENT_CERTIFICATE_PATH to authenticate through a ClientCertificateCredential; or AZURE_USERNAME and AZURE_PASSWORD to authenticate through a UserPasswordCredential.
2024-05-09 06:07:41.909 [main] [DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-09 06:07:41.910 [main] [DEBUG] com.azure.identity.SharedTokenCacheCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID

[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.
2024-05-09 06:07:42.012 [main] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential EnvironmentCredential is unavailable.
2024-05-09 06:07:42.038 [main] [DEBUG] com.azure.core.implementation.util.Providers - Using com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default com.azure.core.http.HttpClientProvider.
2024-05-09 06:07:42.117 [main] [WARN] com.azure.core.http.netty.implementation.Utility - The following Netty dependencies have versions that do not match the versions specified in the azure-core-http-netty pom.xml file. This may result in unexpected behavior. If your application runs without issue this message can be ignored, otherwise please update the Netty dependencies to match the versions specified in the pom.xml file. Versions found in runtime: 'io.netty:netty-codec' version: 4.1.100.Final (expected: 4.1.101.Final)
2024-05-09 06:07:43.361 [ForkJoinPool.commonPool-worker-1] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential WorkloadIdentityCredential is unavailable.
2024-05-09 06:07:43.370 [ForkJoinPool.commonPool-worker-1] [DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.
2024-05-09 06:07:43.370 [ForkJoinPool.commonPool-worker-1] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential ManagedIdentityCredential is unavailable.
2024-05-09 06:07:43.375 [ForkJoinPool.commonPool-worker-2] [DEBUG] com.azure.identity.implementation.IdentityClient - SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[yashpalslathia21]

Changed the code like this -
TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId)
.build();
String accessToken = ((AccessToken) managedIdentityCredential.getToken((new TokenRequestContext())
.addScopes(new String[] { "https:///.default" })).block())
.getToken();

Still getting error like this -
2024-05-09 12:21:05.499 [ForkJoinPool.commonPool-worker-1] [ERROR] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes [https:///.default]: Managed Identity authentication is not available.

Can you pls confirm if this is a bug in the SDK that needs to be fixed. Is there an alternate way to fetch AAD Token for workload identity?

[yashpalslathia21]

At the moment, this is blocking me to implement workload identity.

[billwert]

Hello! Can you help me understand the scenario? Generally these credentials are used in the context of one of our service clients (such as KeyVaultClient.) Is that also failing, and you are simplifying the repro here? Can you try a scope like https://vault.azure.net or https://management.azure.com?

[yashpalslathia21]

Hi, I need to use the workload identity flow with Azure database for MySQL single server. I don't need to use the vault as it is not a requirement for us. I have followed the steps as listed in this microsoft documentation https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster . Following is the code I am using to fetch AAD token - Map<String, String> env = System.*getenv*(); String tenantId = env.get("AZURE_TENANT_ID"); String clientId = env.get("AZURE_CLIENT_ID"); String tokenFile = env.get("AZURE_FEDERATED_TOKEN_FILE"); TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId) .build(); String accessToken = ((AccessToken) managedIdentityCredential .getToken((new TokenRequestContext()).addScopes(new String[] { "https://ssp-demo-db8.mysql.database.azure.com/.default" })). block()).getToken(); But when I am running this code as K8S pod, I am getting this error - 2024-05-10 07:44:08.990 [main] [DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID 2024-05-10 07:44:09.131 [main] [DEBUG] com.azure.core.implementation.util.Providers - Using com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default com.azure.core.http.HttpClientProvider. 2024-05-10 07:44:10.636 [ForkJoinPool.commonPool-worker-1] [ERROR] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes [ https://ssp-demo-db8.mysql.database.azure.com/.default]: Managed Identity authentication is not available. CredentialUnavailableException: Managed Identity authentication is not available.}, [com.azure.identity.implementation.IdentityClient.lambda$authenticateWithManagedIdentityConfidentialClient$25(IdentityClient.java:563), reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783), reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94), reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:241), reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:315), reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:119), reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:71), java.base/java.util.concurrent.CompletableFuture.uniHandle(CompletableFuture.java:934), java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(CompletableFuture.java:911), java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510), java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1773), java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1760), java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373), java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182), java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655), java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622), java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)] Can you please help to correct or fix this issue as I have been blocked for the last 2 weeks? I have already opened an official case (Case *2405100030001925)* with Microsoft for this issue and there has been no progress till now. Regards, Yashpal

…

On Fri, May 24, 2024 at 4:17 AM Bill Wert ***@***.***> wrote: Hello! Can you help me understand the scenario? Generally these credentials are used in the context of one of our service clients (such as KeyVaultClient.) Is that also failing, and you are simplifying the repro here? Can you try a scope like https://vault.azure.net or https://management.azure.com? — Reply to this email directly, view it on GitHub <#40090 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATLYJAXECR7LDQSGOWGSS6DZDZWYBAVCNFSM6AAAAABHOHTNZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRYGE2TMNRWGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>