Node.js app on Azure App Service fails to fetch secrets from Azure Key Vault: "No MSI credential available"

Question

I'm encountering an issue with my Node.js application deployed on Azure App Service. The app is unable to fetch secrets from Azure Key Vault due to a credential error.

Environment:

Azure App Service (Linux) Node.js 20 LTS Azure Key Vault for storing secrets

Issue: When the application attempts to retrieve secrets from Key Vault, it fails with the following error:

Error in loadSecrets function: Error name: CredentialUnavailableError Error message: ManagedIdentityCredential: Authentication failed. Message ManagedIdentityCredential - No MSI credential available

Here's the relevant part of my server.js file:

const { DefaultAzureCredential } = require("@azure/identity"); const { SecretClient } = require("@azure/keyvault-secrets");

const keyVaultName = process.env.KEY_VAULT_NAME; const keyVaultUrl = https://${keyVaultName}.vault.azure.net;

async function loadSecrets() { try { require('dotenv').config();

console.log('Starting loadSecrets function'); console.log('NODE_ENV:', process.env.NODE_ENV); console.log('DATABASE_URL:', process.env.DATABASE_URL); console.log('KEY_VAULT_NAME:', process.env.KEY_VAULT_NAME);

if (process.env.NODE_ENV === 'production') { console.log('Production environment detected. Attempting to load secrets from Key Vault.');

console.log('Creating DefaultAzureCredential...'); const credential = new DefaultAzureCredential(); console.log('DefaultAzureCredential created successfully');

const keyVaultUrl = https://${process.env.KEY_VAULT_NAME}.vault.azure.net; console.log('Key Vault URL:', keyVaultUrl);

console.log('Creating SecretClient...'); const secretClient = new SecretClient(keyVaultUrl, credential); console.log('SecretClient created successfully');

console.log('Fetching secrets...'); process.env.CLAUDE_API_KEY = (await secretClient.getSecret('CLAUDE-API-KEY')).value; console.log('CLAUDE-API-KEY fetched successfully');

[other secret fetching operations] ...

console.log('All secrets loaded successfully from Key Vault'); else { console.log('Non-production environment. Skipping Key Vault secret loading.'); } catch (error) { console.error('Error in loadSecrets function:'); console.error('Error name:', error.name); console.error('Error message:', error.message); [additional error logging] ... throw error; } }

Load secrets before starting the server loadSecrets()

What I've Tried:

Verified that the system-assigned managed identity is enabled for the App Service. Checked that the App Service's managed identity has the necessary permissions (Get, List) for secrets in the Key Vault access policies. Confirmed that the KEY_VAULT_NAME environment variable is correctly set in the App Service configuration. Tried using DefaultAzureCredential instead of ManagedIdentityCredential. Verified that the secrets exist in Key Vault with the correct names.

Azure Configuration:

System-assigned managed identity is enabled for the App Service. The App Service has the "Key Vault Secrets User" role assigned in the Key Vault's Access Control (IAM). Key Vault is configured to use Azure role-based access control (RBAC).

Questions:

What could be causing the "No MSI credential available" error despite having the managed identity enabled? Are there any additional configurations or permissions I might be missing? How can I troubleshoot the managed identity authentication process? Are there any known issues with Node.js 20 LTS and the Azure Identity SDK that could be causing this? Is there a way to verify if the managed identity is correctly associated with the App Service at runtime?

Any help or insights would be greatly appreciated. Thank you!

I've been pulling my hair out trying to figure this out!