Unable to get access to Key Vault using Azure MSI on App Service

azure azure-webjobs azure-web-app-service azure-keyvault azure-managed-identity
Jerome Haltom picture Jerome Haltom · Sep 19, 2017 · Viewed 10.2k times · Source

I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys.

They report:

Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,

Kudo does not show any MSI_ environmental variables.

How is this supposed to work? This is an existing App Service Plan.

Answer

James Christianson picture James Christianson · Sep 22, 2017

The AppAuthentication library leverages an internal endpoint in App Service that receives the tokens on your site's behalf. This endpoint is non-static and therefore is set to an environment variable. After activating MSI for your site through ARM, your site will need to be restarted to get two new Environment Variables set in it:

MSI_ENDPOINT and MSI_SECRET

The presence of these variables are essential to the MSI feature working properly during runtime as the AppAuthentication library uses them to get the authorization token. The error message reflects this:

Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

If these variables are absent, you might need to restart the site.

https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity

If the environment variables are set and you still see the same error, the article above has a code sample showing how to send requests to that endpoint manually. 

public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}

I would try that and see what kind of response I get back.

Related questions

Azure WebJob timeout configuration settings

We have an Azure web site with a daily scheduled job. In our case, the scheduled job runs a stored procedure that takes about 10 minutes so there is no local processing. Our web job is terminating after about 4 minutes with …

Read More
Can I invoke an Azure webjob from an Azure website and pass it parameters?

I have an Azure webjob that I want to invoke from an Azure website. I want to pass string parameters from the website to the webjob. I know I can invoke the webjob as a REST API (https://github.com/…

Read More
Azure WebJobs - Can I use Async Methods?

I was wondering if the Azure WebJobs SDK can trigger async methods? Currently I have a method that looks like the following: class Program { static void Main(string[] args) { var host = new JobHost(); host.RunAndBlock(); } public static void ProcessStuff([QueueInput("…

Read More