Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ManagedIdentityCredential - Azure Arc MSI: To authenticate with Azure Arc MSI, status code 401 is expected on the first request #54

Open
timja opened this issue Jul 25, 2024 · 0 comments
Open

ManagedIdentityCredential - Azure Arc MSI: To authenticate with Azure Arc MSI, status code 401 is expected on the first request #54

timja opened this issue Jul 25, 2024 · 0 comments

Comments

@timja
Copy link

timja commented Jul 25, 2024
edited
Loading

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Write an app using the JS SDK (the services I'm using are Azure OpenAI and Azure AI Search, both failed in the same way): https://learn.microsoft.com/en-us/javascript/api/overview/azure/identity-readme?view=azure-node-latest
  2. Build the app in docker, my compose file looks like
services:
  my-app:
    build: .
    depends_on:
      - azure-cli-proxy
    environment:
      - "IDENTITY_ENDPOINT=http://azure-cli-proxy:8080/token"
      - "IMDS_ENDPOINT=dummy_required_value"
  azure-cli-proxy:
    image: workleap/azure-cli-credentials-proxy:1.1.0
    ports:
      - "8080:8080"
    volumes:
      - "$HOME/.azure:/app/.azure/"
  1. Click on '....'
  2. See error
slack-help-bot-1   | /opt/app/node_modules/@azure/identity/dist/index.js:2747
slack-help-bot-1   |             throw new AuthenticationError(err.statusCode, {
slack-help-bot-1   |                   ^
slack-help-bot-1   |
slack-help-bot-1   | AuthenticationError: ManagedIdentityCredential authentication failed. Status code: 200
slack-help-bot-1   | More details:
slack-help-bot-1   | unknown_error Status code: 200
slack-help-bot-1   | More details:
slack-help-bot-1   | An unknown error has occurred. Response body:
slack-help-bot-1   |
slack-help-bot-1   | ManagedIdentityCredential - Azure Arc MSI: To authenticate with Azure Arc MSI, status code 401 is expected on the first request.  Response: {"access_token":"...", "expiresOn":"2024-07-24T16:25:17.0000000+00:00","expires_on":"1721838317","tokenType":"Bearer","resource":"https://cognitiveservices.azure.com"}
slack-help-bot-1   |     at LegacyMsiProvider.getToken (/opt/app/node_modules/@azure/identity/dist/index.js:2747:19)
slack-help-bot-1   |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
slack-help-bot-1   |     at async /opt/app/node_modules/@azure/identity/dist/index.js:3473:29
slack-help-bot-1   |     at async Object.withSpan (/opt/app/node_modules/@azure/core-tracing/dist/index.js:140:28)
slack-help-bot-1   |     at async DefaultAzureCredential.getToken (/opt/app/node_modules/@azure/identity/dist/index.js:3463:27)
slack-help-bot-1   |     at async tryGetAccessToken (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:1997:32)
slack-help-bot-1   |     at async beginRefresh (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2005:17)
slack-help-bot-1   |     at async Object.defaultAuthorizeRequest [as authorizeRequest] (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2128:25)
slack-help-bot-1   |     at async Object.sendRequest (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2179:13)
slack-help-bot-1   |     at async AzureOpenAI.getRefreshedToken [as _azureADTokenProvider] (/opt/app/node_modules/@azure/identity/dist/index.js:4413:21)
slack-help-bot-1   |     at async AzureOpenAI._getAzureADToken (/opt/app/node_modules/openai/index.js:221:27)
slack-help-bot-1   |     at async AzureOpenAI.prepareOptions (/opt/app/node_modules/openai/index.js:236:23)
slack-help-bot-1   |     at async AzureOpenAI.makeRequest (/opt/app/node_modules/openai/core.js:285:9)
slack-help-bot-1   |     at async analyticsRecommendations (/opt/app/src/ai/ai.js:26:18)

Expected behavior

Documented option should work out of the box

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

  • OS: Mac
  • Version: 1.1.0
  • azure/identity SDK: 4.40

Additional context

I also tried:

    environment:
      - "IDENTITY_ENDPOINT=http://azure-cli-proxy:8080/token"
      - "IMDS_ENDPOINT=dummy_required_value"
      - "MSI_ENDPOINT=http://azure-cli-proxy:8080/token"

After reading the source code of the Azure SDK and looking at what triggered each MSI type of lookup I removed IDENTITY_ENDPOINT and IMDS_ENDPOINT to have a file that looks like:

services:
  my-app:
    build: .
    depends_on:
      - azure-cli-proxy
    environment:
      - "MSI_ENDPOINT=http://azure-cli-proxy:8080/token"
  azure-cli-proxy:
    image: workleap/azure-cli-credentials-proxy:1.1.0
    ports:
      - "8080:8080"
    volumes:
      - "$HOME/.azure:/app/.azure/"
      #- "\\\\wsl$\\<DISTRONAME>\\home\\<USERNAME>\\.azure\\:/app/.azure/" # Uncomment on Windows with WSL

and that worked.

I'm not sure how generic across the SDKs the solution is but if it works across multiple then maybe just MSI_ENDPOINT should be specified?

My app just uses the Default Token credential that is recommended.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timja