Can Azure Container Instance access identity metadata endpoint /medata/identity?

Reuben Cummings 50 Reputation points
2024-06-13T12:41:00.36+00:00

When trying to obtain a Microsoft auth token from within an Azure Container Instance using the /medata/identity endpoint, I get the following error.

ManagedIdentityCredential: Get \"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net\": dial tcp 169.254.169.254:80: i/o timeout"

Is there any way around this?

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
672 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nikhil Duserla 970 Reputation points Microsoft Vendor
    2024-06-13T17:30:48.2533333+00:00

    Hi Reuben Cummings ,

    Thank you for reaching out to us on Microsoft Q&A forum.

    Based on the details you've given; it seems you're encountering a problem when attempting to acquire a Microsoft authentication token within an Azure Container instance through the /medata/identity endpoint.

    Please ensure that the managed identity is enabled; if not, configure it on the Azure resource that you have created.

    Use this command to obtain a Microsoft auth token:

    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

    Output for this:

    {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldC8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yMGI5NTcyYy1jNDg4LTQ3YzItYjg4YS05YTk0OTE3ODdkMGEvIiwiaWF0IjoxNzE4Mjk2NjkxLCJuYmYiOjE3MTgyOTY2OTEsImV4cCI6MTcxODMwMDg1MywiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhXQUFBQS9nd2dkdFRSYlRPSWNqNVc1REZ3c1IvYTdOWERBcHpjU2NyOGRNVXJUWjJyK2ZsWStmNUhUT0kwekQ0QjJoSVFMMzJ0NlMxeWtSQzJCMVdaS0NTSXNCNHZ6M2EwbEtTdmJmQlNYM3lvL3NVPSIsImFtciI6WyJwd2QiLCJyc2EiLCJtZmEiXSwiYXBwaWQiOiJiNjc3YzI5MC1jZjRiLTRhOGUtYTYwZS05MWJhNjUwYTRhYmUiLCJhcHBpZGFjciI6IjAiLCJkZXZpY2VpZCI6ImM5MzMwNzc3LWExM2YtNGExNi1hZjBmLWEzYzQ5ZjBmNGJiOCIsImdyb3VwcyI6WyIzY2NjNDc4NS1iMzBkLTQ3YzktYjYyYS1jNGYyNmUzZTA1NzEiXSwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiMjQwNjpiNDAwOmI1Ojk2OWU6NjVlNTo0OGNlOjJkMWM6YjllMiIsIm5hbWUiOiJtZW5ha2EiLCJvaWQiOiIzOWUyMTM5ZS00MzIyLTRiM2EtYmJmYS0zNDdjMjUwNzVmMmIiLCJwdWlkIjoiMTAwMzIwMDM5MTBGNEZBQSIsInJoIjoiMC5BY1lBTEZlNUlJakV3a2U0aXBxVWtYaDlDa1pJZjNrQXV0ZFB1a1Bhd2ZqMk1CUEdBR2cuIiwic2NwIjoidXNlcl9pbXBlcnNvbmF0aW9uIiwic3ViIjoiODhFM3VwcjE2T2FRQVdYYkVzNExYZklmcFMybHpvS3l2MmlMMkZHVUZwUSIsInRpZCI6IjIwYjk1NzJjLWM0ODgtNDdjMi1iODhhLTlhOTQ5MTc4N2QwYSIsInVuaXF1ZV9uYW1lIjoibWVuYWthQHNyaWxla3lhOTYxN2dtYWlsLm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6Im1lbmFrYUBzcmlsZWt5YTk2MTdnbWFpbC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJEMVhyTEo0ZnRVMmlJLVF1TWtkS0FBIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiLCJiNzlmYmY0ZC0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3RjZHQiOjE3MTYxNzc3ODZ9.VuD8UfEh6UN-8sHRH69-ffycGAYyy-C4Qq979AHxdWo9pix0PZOkS3EoM5FCIYdB5Am6TI-3Qssl-QXaSDlZcnO1iXA3Yf5pDlQc-MeV0fRFblNfDhwuaXV5vQDBe0aZdRd0gXA2nAxmM_ZydrKOma82HiVDeTPSZAfPaR9ubH-5bBcT6FSwU1HqXYbDnuBB8fGKgQHnbIcGnMbWdzcDBryOkq7t7HZLoCsgnEJCafAzgqAARlCkcwHgG5AXaSpZtEd8BrW9EZNU98mVG2U0-nS5vd_TjmIWMtFN6LyGLOKMUx8KaCZ22MN0PTLgGaXimSxY86nFHvgrBeZEjNXUmg","refresh_token":"","expires_in":"1348","expires_on":"1718300853","not_before":"1718296691","resource":"https://management.core.windows.net/","token_type"User's image

    If you have any further queries, do let us know.

    If the answer is helpful, please click "Accept Answer" and "Upvote it."

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Reuben Cummings 50 Reputation points
    2024-06-14T18:16:54.3166667+00:00

    Turns out it was due to the ACI lacking a managed identity. I assigned a system identity and that resolved it.

    0 comments No comments