How to implement Managed identity in Azure Windows Containers

Pavel Reynoso 0 Reputation points Microsoft Employee
2024-04-22T23:07:21.51+00:00

Hello,

I'm trying to implement Managed Identity on a windows container instance, but seems not working since is not taking the default credentials, based on this documentation windows container is able to manage managed identities unless is specified somewhere else it cannot.

I'm sharing here also the commands I used.

az container create --resource-group Azure-Resources --name mycontainer-windows --image mirepo.images.com/test-mi:latest --cpu 1 --memory 1.5 --os-type Windows --assign-identity /subscriptions/12345/resourcegroups/Azure-Resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId --registry-username repouser --registry-password 12345example

I'm using Python SDK to pull a secret from key vault using DefaultCredentials()

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
import time

# Replace with your actual Key Vault name

#keyVaultName = os.environ["KEY_VAULT_NAME"]
keyVaultName = "test-kv-mi"

KVUri = f"https://{keyVaultName}.vault.azure.net"

# Create a DefaultAzureCredential to authenticate
credential = DefaultAzureCredential()

# Initialize the SecretClient
client = SecretClient(vault_url=KVUri, credential=credential)

# Specify the name of the secret you want to retrieve
secretName = "sp-devops-test"

# Retrieve the secret
retrieved_secret = client.get_secret(secretName)

# The secret value is contained in retrieved_secret.value
print(f"Success here ----------------------------------------")
# print(retrieved_secret.value)

# Sleep for 10 minutes (600 seconds)
time.sleep(600)

print("Woke up after 10 minutes!")

but is not taking the credentials, showing error:

DefaultAzureCredential failed to retrieve a token from the included credentials.

Attempted credentials:

    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.

Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.

    ManagedIdentityCredential: (DefaultIdentityNotDefined) DefaultIdentityNotDefined

Code: DefaultIdentityNotDefined

Message: DefaultIdentityNotDefined

To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

When I execute the same code using Linux container it is able to pull my secret using Managed identities correctly.

Can you please help on how to correctly implement managed identities on windows containers?

Regards

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
648 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 24,881 Reputation points
    2024-04-23T14:18:00.5566667+00:00

    Hello Pavel Reynoso

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    You should also have to use "from azure.keyvault.secrets import SecretClient" and then initialize the default azure credentials.

    Define keyvault url and create secret and give it a name, get secret value.

    Then run the script in windows container environment where MI is enabled, also ensure container has keyvault access to get secrets from it.

    Hope this helps.

    0 comments No comments