Share via

Getting warning as "Cannot create any credentials with the current environment variables in azure portal", in azure webapp while connecting to keyvault.

Vaddiparthi Venkata Srivatsha 0 Reputation points
2023-10-11T17:54:15.9333333+00:00

I've a webapp A(Java) hosted on azure. It's trying to connect to keyvault to fetch the secrets. I'm using system assigned managed identity(enabled for A) and I've added A in access policy of keyvault. In my code for A I'm using DefaultAzureCredential() to connect to keyvault, but I'm getting below warning(severity:error), but able to fetch the secrets.

"Cannot create any credentials with the current environment variables in azure portal".

Upon checking I found that, DefaultAzureCredential() first checks environment variables, if it fails then it goes for managed identity.

Let me know is my understanding correct. Also, what code changes should I make so that it can skip checking environment variables and directly go for managed identity?

Thanks!

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,396 Reputation points Microsoft Employee Moderator
    2023-10-12T22:59:51.4133333+00:00

    Hi @Vaddiparthi Venkata Srivatsha ,

    Yes, the DefaultAzureCredential gets the token based on the environment the application is running. If you receive the "CredentialUnavailableException" it generally means that the environment variables are not configured or the tenant ID isn't being checked.

    Like you said, the default credential chain starts with the EnvironmentCredential

    and then moves on to the ManagedIdentityCredential . If you want to skip the EnvironmentCredential you can set ExcludeEnvironmentCredential = true as documented here:

    https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredentialoptions.excludeenvironmentcredential?view=azure-dotnet

    Then you can make sure the Managed Identity environment variables are set correctly: How to use managed identities for App Service and Azure Functions

    Let me know if this is what you are looking for and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information. Otherwise let me know if you have further questions.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.