Azure App Service for containers Managed Identity "Secret header validation failed for request"

Xavier L 46 Reputation points
2022-08-09T15:45:24.817+00:00

Hello,

We recently added System assigned Managed Identity to our Linux hosted App Service for containers.
This Managed Identity is used to connection to our Azure SQL database and Key Vault.
This works well, but every time a new container image is deployed (via the Portal or Webhook) the MSI TokenService fails for about a minute resulting in application failures.

Request for site my-webapp-for-containers failed secret validation. Expecting c2b90bxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, received dd30d8xx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Secret header validation failed for request on port 8081
Returning response for Site , Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 403

As soon as the new container image is ready to serve requests, the token service is available again.

MSI logs:

2022-08-09T13:56:24.734748107Z mywebapp : [34185627-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:56:24.741092076Z mywebapp : [34185627-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:56:24.751954596Z mywebapp : [34185627-x] Request to retrieve token received
2022-08-09T13:56:24.752790505Z mywebapp : [34185627-x] AadTokenCacheEntryRead. TenantId: xxxxx, ClientId: xxxxx, Resource: https://vault.azure.net, Expiration: 08/10/2022 13:45:13
2022-08-09T13:56:24.753402912Z mywebapp : [34185627-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139113, Resource: https://vault.azure.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:56:24.753462612Z mywebapp : [34185627-x] Returning response for Site mywebapp, Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 200

2022-08-09T13:56:33.573391767Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:33.583333083Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx
2022-08-09T13:56:33.890462975Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:33.891252892Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx

2022-08-09T13:56:40.443484502Z mywebapp : [b9b93d63-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:56:40.444627310Z mywebapp : [b9b93d63-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:56:40.445751618Z mywebapp : [b9b93d63-x] Request for site mywebapp failed secret validation. Expecting c2b90bxx-xxxx-xxxx-xxxx-x, received dd30d8xx-xxxx-xxxx-xxxx-x
2022-08-09T13:56:40.472750010Z mywebapp : [b9b93d63-x] Secret header validation failed for request on port 8081
2022-08-09T13:56:40.649821473Z mywebapp : [b9b93d63-x] Returning response for Site , Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 403
2022-08-09T13:57:19.811328657Z mywebapp : [5645b46d-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:57:19.812257967Z mywebapp : [5645b46d-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:19.813176178Z mywebapp : [5645b46d-x] Request for site mywebapp failed secret validation. Expecting c2b90bxx-xxxx-xxxx-xxxx-x, received dd30d8xx-xxxx-xxxx-xxxx-x
2022-08-09T13:57:19.813196078Z mywebapp : [5645b46d-x] Secret header validation failed for request on port 8081
2022-08-09T13:57:19.813202278Z mywebapp : [5645b46d-x] Returning response for Site , Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 403

2022-08-09T13:56:33.130061275Z Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/azure
2022-08-09T13:56:33.871796868Z WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
2022-08-09T13:56:33.880435556Z WARNING: ca-cert-azure.pem does not contain exactly one certificate or CRL: skipping
2022-08-09T13:56:34.417600320Z Updated CA certificates
2022-08-09T13:56:47.943831735Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:48.025757651Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx
2022-08-09T13:56:48.046455356Z mywebapp : [000000000] Starting TokenService version 2.0.1.3 from /app with the LinuxDedicated SKU. Environment check: IsLinuxDedicated: True, IsLinuxConsumption: False, IsContainerApps: False, IsWindows: False.
2022-08-09T13:56:48.329133687Z Hosting environment: Production
2022-08-09T13:56:48.331515599Z Content root path: /app
2022-08-09T13:56:48.383934965Z Now listening on: http://[::]:8081
2022-08-09T13:56:48.383969865Z Application started. Press Ctrl+C to shut down.
2022-08-09T13:56:49.459989205Z mywebapp : [c3cb26e3-x] Incoming request on /healthcheck?api-version=2021-08-01
2022-08-09T13:56:49.463075020Z mywebapp : [c3cb26e3-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /healthcheck, Query ?api-version=2021-08-01, Method GET, UserAgent HealthCheck/1.0
2022-08-09T13:56:50.646766243Z mywebapp : [c3cb26e3-x] Returning response for Site , Endpoint 172.16.0.6:8081, Port 8081, Path /healthcheck, Method GET, Result = 200
2022-08-09T13:57:30.453751935Z mywebapp : [c13f55a5-x] Incoming request on /robots933456.txt
2022-08-09T13:57:30.499923900Z mywebapp : [c13f55a5-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /robots933456.txt, Query , Method GET, UserAgent HealthCheck/1.0
2022-08-09T13:57:30.500017001Z mywebapp : [c13f55a5-x] Returning response for Site , Endpoint 172.16.0.6:8081, Port 8081, Path /robots933456.txt, Method GET, Result = 404
2022-08-09T13:57:40.539461130Z mywebapp : [e4dc6085-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:57:40.540546737Z mywebapp : [e4dc6085-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:40.760013925Z mywebapp : [e4dc6085-x] Request to retrieve token received
2022-08-09T13:57:42.936256562Z mywebapp : [e4dc6085-x] Requesting an AAD Token using ADAL for Authority: https://login.microsoftonline.com/xxxxx, Resource: https://vault.azure.net, ClientId: xxxxx
2022-08-09T13:57:43.754027812Z mywebapp : [e4dc6085-x] AadTokenCacheEntryAdded. TenantId: xxxxx, ClientId: xxxxx, Resource: https://vault.azure.net, Expiration: 08/10/2022 13:57:42
2022-08-09T13:57:43.764947481Z mywebapp : [e4dc6085-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139862, Resource: https://vault.azure.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:57:43.932656137Z mywebapp : [e4dc6085-x] Returning response for Site mywebapp, Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Method GET, Result = 200
2022-08-09T13:57:50.482848061Z mywebapp : [cd28e89e-x] Incoming request on /msi/token?resource=https%3A%2F%2Fdatabase.windows.net&api-version=2019-08-01
2022-08-09T13:57:50.536023393Z mywebapp : [cd28e89e-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fdatabase.windows.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:50.536068993Z mywebapp : [cd28e89e-x] Request to retrieve token received
2022-08-09T13:57:50.536076493Z mywebapp : [cd28e89e-x] Requesting an AAD Token using ADAL for Authority: https://login.microsoftonline.com/xxxxx, Resource: https://database.windows.net, ClientId: xxxxx
2022-08-09T13:57:50.709470174Z mywebapp : [cd28e89e-x] AadTokenCacheEntryAdded. TenantId: xxxxx, ClientId: xxxxx, Resource: https://database.windows.net, Expiration: 08/10/2022 13:57:49
2022-08-09T13:57:50.726837882Z mywebapp : [cd28e89e-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139869, Resource: https://database.windows.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:57:50.727656087Z mywebapp : [cd28e89e-x] Returning response for Site mywebapp, Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Method GET, Result = 200

Docker logs:

2022-08-09T13:56:23.711Z INFO - Recycling container because of AppFrameworkVersionChange and appFrameworkVersion = xxxx.azurecr.io/mywebapp:main-v0.0.27
2022-08-09T13:56:50.921Z INFO - Pulling image: xxxx.azurecr.io/mywebapp:main-v0.0.27
2022-08-09T13:56:51.418Z INFO - main-v0.0.27 Pulling from mywebapp
.
.
.
2022-08-09T13:57:24.432Z INFO - xxxxxxxxxxx Pull complete
2022-08-09T13:57:24.681Z INFO - Digest: sha256:xxxxxxxxxxx
2022-08-09T13:57:24.912Z INFO - Status: Downloaded newer image for xxxx.azurecr.io/mywebapp:main-v0.0.27
2022-08-09T13:57:24.938Z INFO - Pull Image successful, Time taken: 0 Minutes and 33 Seconds
2022-08-09T13:57:25.259Z INFO - Starting container for site
2022-08-09T13:57:25.265Z INFO - docker run -d -p 6558:8080 --name mywebapp_1_f62859ee -e PORT=8080 -e WEBSITES_ENABLE_APP_SERVICE_STORAGE=false -e WEBSITE_SITE_NAME=mywebapp -e WEBSITE_AUTH_ENABLED=False -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_HOSTNAME=mywebapp.azurewebsites.net -e WEBSITE_INSTANCE_ID=xxxxxxxxxx -e HTTP_LOGGING_ENABLED=1 -e WEBSITE_USE_DIAGNOSTIC_SERVER=False xxxx.azurecr.io/mywebapp:main-v0.0.27

2022-08-09T13:57:30.383Z INFO - Initiating warmup request to container mywebapp_1_f62859ee_msiProxy for site mywebapp
2022-08-09T13:57:30.480Z INFO - Container mywebapp_1_f62859ee_msiProxy for site mywebapp initialized successfully and is ready to serve requests.
2022-08-09T13:57:30.482Z INFO - Initiating warmup request to container mywebapp_1_f62859ee for site mywebapp
2022-08-09T13:57:46.231Z INFO - Waiting for response to warmup request for container mywebapp_1_f62859ee. Elapsed time = 15.8582603 sec
2022-08-09T13:57:51.506Z INFO - Container mywebapp_1_f62859ee for site mywebapp initialized successfully and is ready to serve requests.

Any help is appreciated,
Kind regards

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,663 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions
{count} votes

Accepted answer
  1. ajkuma 25,781 Reputation points Microsoft Employee
    2022-08-29T08:16:51.547+00:00

    To benefit the community members, posting our offline discussions.

    Our product team has identified a bug and the fix has been deployed to all the regions.

    We apologies for all the inconvenience with this. We appreciate your patience and cooperation!

    Thanks for reporting this issue -XavierL-0557 and MarkBowler-7155.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.