Using DefaultAzureCredentials on console app in development environment

Question

Using DefaultAzureCredentials on console app in development environment

Espen Johannessen 76

We are having issues when developing code that uses the DefaultAzureCredential class when connecting to storage account blobs among other Azure services from our local machines.

It works fine when deployed to Azure, but on our local machines in our development environment a call like this...

BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageAccountUrl), new DefaultAzureCredential());

...just hangs and eventually does a timeout with an exception saying

{"ManagedIdentityCredential authentication failed."} with an 504 error

I know this credential uses a prioritized "pecking order" to try different credentials (https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme), so we tried disabling the two first in the chain. This made things work and we were able to login:

var credentialOptions = new DefaultAzureCredentialOptions();  
if (ConfigurationManager.AppSettings["IsDevelopmentEnvironment"].Equals("true"))  
{  
        credentialOptions.ExcludeEnvironmentCredential = true;  
        credentialOptions.ExcludeManagedIdentityCredential = true;  
 }  
  
 BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageAccountUrl), new DefaultAzureCredential(credentialOptions));

But we should not need to have code like this, and this will prevent the app from working in Azure. This contradicts the whole point of this class.

Does anyone have insight into how we can make this work more seamless in our development environment?

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2020-11-17T17:04:57.693+00:00

Hello @Espen Johannessen , please collect a fiddler trace to see what endpoint is timing out and share it here.
Steve Down 1 Reputation point

2021-08-28T17:23:21.213+00:00

Are there any updates to this question? I'm encountering it now, some 8 months later.

1 answer

Your answer

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2020-11-17T17:04:57.693+00:00

Hello @Espen Johannessen , please collect a fiddler trace to see what endpoint is timing out and share it here.
Steve Down 1 Reputation point

2021-08-28T17:23:21.213+00:00

Are there any updates to this question? I'm encountering it now, some 8 months later.

Answer 1

Espen Johannessen 76

anonymous user-msft I see in Fiddler that there are four requests like the one described under going before the code gives up and gives an exception:

GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fxxx-xxxx-xxxxx.azconfig.io HTTP/1.1
Metadata: true
x-ms-client-request-id: 6700f178-af2e-4792-9a2f-5f43c382c216
x-ms-return-client-request-id: true
User-Agent: azsdk-net-Identity/1.1.1 (.NET Framework 4.8.4250.0; Microsoft Windows 10.0.19041 )
Request-Id: |ce277704-41db6514f91cf479.
Host: 169.254.169.254
Connection: Keep-Alive

The reponse is:

<html><head><title>504 Gateway Timeout</title></head>
<body><h1>Gateway Timeout</h1>
<p>Server error - server 169.254.169.254 is unreachable at this moment.<br><br>Please retry the request or contact your administrator.<br></p>
<!--Zscaler/6.0--></body></html>

When running the code with the workaround explained above I only see calls to login.microsoft.com.

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2020-11-20T15:21:41.933+00:00

@Espen Johannessen what resource is your code running on? Has managed identity being enabled?
Espen Johannessen 76 Reputation points

2020-11-22T16:37:42.97+00:00
My code is running on a .NET 4.8 console app as a webjob.

if I use:

new ManagedIdentityCredential("xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxx")

....when creating the blob client everything works fine in Azure (but ofc not in dev locally). The call above then contains the clientid of the managed identity that the app service is configured with under Identity -> User Assigned. This identity of course has access to blob storage and other resources is accesses.

I see there is some option to define ChainedTokenCredentials. I can try if this works better.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2020-11-23T00:12:34.613+00:00

Have you tried with the parameterless constructor? new ManagedIdentityCredential(). This should not have anything to do with the 504 but just in case. In the meantime I will reach the product team and ask them about what may be causing this.
Espen Johannessen 76 Reputation points

2020-12-03T11:38:37.557+00:00

Yes, I have tried this. Both in local environment and as webjob in Azure. I have to sepecify the manged identity-id to make it work in web jobs new ManagedIdentityCredential("xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxx").

I have also tried ChainedTokenCredentaial, specifiying the order if first trying ManagedIdentityCredential and then VisualStudioCredential but the same error occurs.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,536 Reputation points Moderator

2020-12-03T18:23:48.8+00:00

Hi @Espen Johannessen , apologies for the delay we're still routing this to the proper team. Once I've an update I will come back to you.

Share via

Using DefaultAzureCredentials on console app in development environment

1 answer

Your answer