Use Managed Identity to Get Access Token for HTTP Request

Kaytee Flick 0 Microsoft Employee

Hello,

I need to acquire an access token to make an https request for an Azure web app using Synapse system managed identity.

Before switching to MI due to security requirements, I got the access token with this code

token= auth_context.acquire_token_with_client_credentials(resource, client_id, client_secret)

In databricks I am able to use this code with the databricks MI to get a token:

from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
cred = ManagedIdentityCredential()
cred.get_token(resource)

However, this code returns an error when run in a Synapse note with MI enabled: User's image I also looking into using the mssparkutils.credentials.getToken(), but it is not available for this audience type.

What method is available to get an access token using MI for a webapp?

Thanks!

phemanth 11,455 Reputation points Microsoft Vendor

2024-08-12T15:58:03.78+00:00
@Kaytee Flick

Thanks for using MS Q&A platform and posting your query.

could you please do the below checks and confirm us
and provide some more details if possible, such as detailed error message

Check Network Configuration:

Network Security Groups (NSGs): Verify if any NSGs are blocking outbound traffic from the Synapse workspace to the IMDS endpoint. The IMDS endpoint typically uses port 169.254.169.254.

Firewalls: If your workspace is behind a firewall, ensure that it's allowing outbound access to the IMDS endpoint.

Verify VM Configuration:

Instance Metadata Service (IMDS) configuration: Ensure that IMDS is enabled and configured properly on the VM hosting the Synapse workspace.

Virtual Network (VNet) Integration: Confirm that the Synapse workspace is correctly integrated with the appropriate VNet.

Check for Temporary IMDS Issues:

Azure Status: Check the Azure service health dashboard for any reported issues related to the IMDS endpoint. https://azure.microsoft.com/en-us/status/

Retry: Sometimes, temporary network glitches can cause IMDS communication problems. Try restarting the Synapse workspace or retrying the code after a short delay.
phemanth 11,455 Reputation points Microsoft Vendor

2024-08-13T12:36:44.0066667+00:00

@Kaytee Flick We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
phemanth 11,455 Reputation points Microsoft Vendor

2024-08-14T18:03:12.3033333+00:00

@Kaytee Flick just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Vinodh247 24,001 Reputation points MVP

2024-08-08T10:00:13.1033333+00:00
Hi,

You can try to utilize the azure Identity library, which simplifies the process of obtaining tokens. This is the simple and straight forward for token acquisition.

Use the following Python code snippet to obtain an access token using the Managed Identity. Before that make sure 'azure-identity' is installed in your env.

from azure.identity import ManagedIdentityCredential from azure.core.credentials import AccessToken # Define the resource for which you need the token resource = "https://<your-web-app-name>.azurewebsites.net" # Create a Managed Identity Credential instance credential = ManagedIdentityCredential() # Acquire the token token: AccessToken = credential.get_token(resource) # Use the token for your HTTP requests access_token = token.token print(access_token)
Please sign in to rate this answer.
Kaytee Flick 0 Reputation points Microsoft Employee

2024-08-08T19:00:08.95+00:00

Unfortunately - this script does not work in a Synapse Notebook. Have you used that successfully in synapse?

ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.

Vinodh247 24,001 Reputation points MVP

2024-08-09T13:03:59.2133333+00:00

the 'ManagedIdentityCredential' is unable to authenticate due to a failure in communicating with the Instance metadata service (IMDS) endpoint. this issue is when using Managed Identities in azure environments, can you check your MI configuration?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Use Managed Identity to Get Access Token for HTTP Request

1 answer

Your answer