Hello,
We're been using Managed Identities with our App Service for sometime. However, suddenly, the staging slot in our app service can no longer make successful MSI requests. This was discovered after we pushed some changes in our codebase.
Note: the changes were made around a service that uses Azure Storage. MSI function wasn't touched, but for Azure Host detected environments this is the MSI code that runs.
...
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(settings.UserAssignedId),
new AzureCliCredential());
var queues = new QueueTuple
{
Normal = new QueueClient(normalQueueUri, credential, options),
Poison = new QueueClient(poisonQueueUri, credential, options)
};
...
Here is the error message captured in our logs:
ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
We can see that this endpoint URI http://127.0.0.1:41691/msi/token/?api-version=2019-08-01&resource=https%3A%2F%2Fstorage.azure.com failed to reach.
The environment variables MSI_ENDPOINT and MSI_SECRET are set
We attempted to manually execute the request with the following Poweshell command:
Invoke-WebRequest -Uri "$env:MSI_ENDPOINT`?api-version=2017-09-01&resource=https://storage.azure.com" -Method GET -Headers @{Metadata="true";Secret=$env:MSI_SECRET} -UseBasicParsing
But we get the same 400 status code.
Another task we tried was disconnecting MSI and reconnecting back, but didn't fix it.
Does anyone know what could be happening?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 48%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
