We recently added System assigned Managed Identity to our Linux hosted App Service for containers.
This Managed Identity is used to connection to our Azure SQL database and Key Vault.
This works well, but every time a new container image is deployed (via the Portal or Webhook) the MSI TokenService fails for about a minute resulting in application failures.
As soon as the new container image is ready to serve requests, the token service is available again.
2022-08-09T13:56:24.734748107Z mywebapp : [34185627-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:56:24.741092076Z mywebapp : [34185627-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:56:24.751954596Z mywebapp : [34185627-x] Request to retrieve token received
2022-08-09T13:56:24.752790505Z mywebapp : [34185627-x] AadTokenCacheEntryRead. TenantId: xxxxx, ClientId: xxxxx, Resource: https://vault.azure.net, Expiration: 08/10/2022 13:45:13
2022-08-09T13:56:24.753402912Z mywebapp : [34185627-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139113, Resource: https://vault.azure.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:56:24.753462612Z mywebapp : [34185627-x] Returning response for Site mywebapp, Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 200
2022-08-09T13:56:33.573391767Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:33.583333083Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx
2022-08-09T13:56:33.890462975Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:33.891252892Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx
2022-08-09T13:56:40.443484502Z mywebapp : [b9b93d63-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:56:40.444627310Z mywebapp : [b9b93d63-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:56:40.445751618Z mywebapp : [b9b93d63-x] Request for site mywebapp failed secret validation. Expecting c2b90bxx-xxxx-xxxx-xxxx-x, received dd30d8xx-xxxx-xxxx-xxxx-x
2022-08-09T13:56:40.472750010Z mywebapp : [b9b93d63-x] Secret header validation failed for request on port 8081
2022-08-09T13:56:40.649821473Z mywebapp : [b9b93d63-x] Returning response for Site , Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 403
2022-08-09T13:57:19.811328657Z mywebapp : [5645b46d-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:57:19.812257967Z mywebapp : [5645b46d-x] Request to TokenService: Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:19.813176178Z mywebapp : [5645b46d-x] Request for site mywebapp failed secret validation. Expecting c2b90bxx-xxxx-xxxx-xxxx-x, received dd30d8xx-xxxx-xxxx-xxxx-x
2022-08-09T13:57:19.813196078Z mywebapp : [5645b46d-x] Secret header validation failed for request on port 8081
2022-08-09T13:57:19.813202278Z mywebapp : [5645b46d-x] Returning response for Site , Endpoint 172.16.0.3:8081, Port 8081, Path /msi/token, Method GET, Result = 403
2022-08-09T13:56:33.130061275Z Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/azure
2022-08-09T13:56:33.871796868Z WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
2022-08-09T13:56:33.880435556Z WARNING: ca-cert-azure.pem does not contain exactly one certificate or CRL: skipping
2022-08-09T13:56:34.417600320Z Updated CA certificates
2022-08-09T13:56:47.943831735Z mywebapp : [000000000] Configuration update started. Site: mywebapp
2022-08-09T13:56:48.025757651Z mywebapp : [000000000] [SystemAssigned] Added Identity with ClientId: xxxxx
2022-08-09T13:56:48.046455356Z mywebapp : [000000000] Starting TokenService version 2.0.1.3 from /app with the LinuxDedicated SKU. Environment check: IsLinuxDedicated: True, IsLinuxConsumption: False, IsContainerApps: False, IsWindows: False.
2022-08-09T13:56:48.329133687Z Hosting environment: Production
2022-08-09T13:56:48.331515599Z Content root path: /app
2022-08-09T13:56:48.383934965Z Now listening on: http://[::]:8081
2022-08-09T13:56:48.383969865Z Application started. Press Ctrl+C to shut down.
2022-08-09T13:56:49.459989205Z mywebapp : [c3cb26e3-x] Incoming request on /healthcheck?api-version=2021-08-01
2022-08-09T13:56:49.463075020Z mywebapp : [c3cb26e3-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /healthcheck, Query ?api-version=2021-08-01, Method GET, UserAgent HealthCheck/1.0
2022-08-09T13:56:50.646766243Z mywebapp : [c3cb26e3-x] Returning response for Site , Endpoint 172.16.0.6:8081, Port 8081, Path /healthcheck, Method GET, Result = 200
2022-08-09T13:57:30.453751935Z mywebapp : [c13f55a5-x] Incoming request on /robots933456.txt
2022-08-09T13:57:30.499923900Z mywebapp : [c13f55a5-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /robots933456.txt, Query , Method GET, UserAgent HealthCheck/1.0
2022-08-09T13:57:30.500017001Z mywebapp : [c13f55a5-x] Returning response for Site , Endpoint 172.16.0.6:8081, Port 8081, Path /robots933456.txt, Method GET, Result = 404
2022-08-09T13:57:40.539461130Z mywebapp : [e4dc6085-x] Incoming request on /msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
2022-08-09T13:57:40.540546737Z mywebapp : [e4dc6085-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:40.760013925Z mywebapp : [e4dc6085-x] Request to retrieve token received
2022-08-09T13:57:42.936256562Z mywebapp : [e4dc6085-x] Requesting an AAD Token using ADAL for Authority: https://login.microsoftonline.com/xxxxx, Resource: https://vault.azure.net, ClientId: xxxxx
2022-08-09T13:57:43.754027812Z mywebapp : [e4dc6085-x] AadTokenCacheEntryAdded. TenantId: xxxxx, ClientId: xxxxx, Resource: https://vault.azure.net, Expiration: 08/10/2022 13:57:42
2022-08-09T13:57:43.764947481Z mywebapp : [e4dc6085-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139862, Resource: https://vault.azure.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:57:43.932656137Z mywebapp : [e4dc6085-x] Returning response for Site mywebapp, Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Method GET, Result = 200
2022-08-09T13:57:50.482848061Z mywebapp : [cd28e89e-x] Incoming request on /msi/token?resource=https%3A%2F%2Fdatabase.windows.net&api-version=2019-08-01
2022-08-09T13:57:50.536023393Z mywebapp : [cd28e89e-x] Request to TokenService: Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Query ?resource=https%3A%2F%2Fdatabase.windows.net&api-version=2019-08-01, Method GET, UserAgent azsdk-js-identity/2.1.0 core-rest-pipeline/1.9.1 Node/v14.20.0 OS/(x64-Linux-5.4.0-1074-azure)
2022-08-09T13:57:50.536068993Z mywebapp : [cd28e89e-x] Request to retrieve token received
2022-08-09T13:57:50.536076493Z mywebapp : [cd28e89e-x] Requesting an AAD Token using ADAL for Authority: https://login.microsoftonline.com/xxxxx, Resource: https://database.windows.net, ClientId: xxxxx
2022-08-09T13:57:50.709470174Z mywebapp : [cd28e89e-x] AadTokenCacheEntryAdded. TenantId: xxxxx, ClientId: xxxxx, Resource: https://database.windows.net, Expiration: 08/10/2022 13:57:49
2022-08-09T13:57:50.726837882Z mywebapp : [cd28e89e-x] AAD Token Response Audit. Site mywebapp, ExpiresOn: 1660139869, Resource: https://database.windows.net, TokenType: Bearer, ClientId: xxxxx
2022-08-09T13:57:50.727656087Z mywebapp : [cd28e89e-x] Returning response for Site mywebapp, Endpoint 172.16.0.6:8081, Port 8081, Path /msi/token, Method GET, Result = 200