Key Vault extension for windows failure : multiple managed identities exist

Ricky Bansal 1 Reputation point
2021-09-12T05:53:17.44+00:00

Key Vault extension for windows fails with timeout and error :

MSI URL: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&authority=https://login.windows.net/cdc5aeea-15c5-4db6-b079-fcadd2505dc2&resource=https://vault.azure.net
2021-09-02 11:11:55: <error> [MSIAuthClient] failed to retrieve MSI token from response: {"error":"invalid_request","error_description":"Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"}

I have already specified the parameter msiClientId in the authenticationSettings field but it still fails with the same error.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,113 questions
Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
252 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,114 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2021-09-14T23:37:45.527+00:00

    @Ricky Bansal
    Thank you for your post!

    When it comes to your error message, have you tried specifying the MSI using either msiClientId or msiObjectId for the extension: 

            "settings": {  
            "secretsManagementSettings": {  
                "pollingIntervalInS": "14400",  
                "certificateStoreName": "MY",  
                "linkOnRenewal": true,  
                "certificateStoreLocation": "LocalMachine",  
                "requireInitialSync": true,  
                "observedCertificates": [  
                    "<certificate url 1>",  
                    "<certificate url 2>"  
                ]  
            },  
            "authenticationSettings": {  
                "msiEndpoint": "http://169.254.169.254/metadata/identity",  
                "msiClientId": "<msi ClientId> e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619""  
            }  
        }

    For more info - KV extension for windows doesn't work well if multiple MSI assigned

    Additional Links:
    Key Vault virtual machine extension for Windows
    How to use managed identities for Azure resources on an Azure VM to acquire an access token
    Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request
    Multiple assigned identities issue

    If you have any other questions or are still running into this issue, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments