Comments (7)
github-actions
commented on July 20, 2024
from azure-sdk-for-java.
github-actions
commented on July 20, 2024
Thank you for your feedback. Tagging and routing to the team member best able to assist.
from azure-sdk-for-java.
yashpalslathia21
commented on July 20, 2024
Changed the code like this -
TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId)
.build();
String accessToken = ((AccessToken) managedIdentityCredential.getToken((new TokenRequestContext())
.addScopes(new String[] { "https:///.default" })).block())
.getToken();
Still getting error like this -
2024-05-09 12:21:05.499 [ForkJoinPool.commonPool-worker-1] [ERROR] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes [https:///.default]: Managed Identity authentication is not available.
Can you pls confirm if this is a bug in the SDK that needs to be fixed. Is there an alternate way to fetch AAD Token for workload identity?
from azure-sdk-for-java.
yashpalslathia21
commented on July 20, 2024
At the moment, this is blocking me to implement workload identity.
from azure-sdk-for-java.
billwert
commented on July 20, 2024
Hello! Can you help me understand the scenario? Generally these credentials are used in the context of one of our service clients (such as KeyVaultClient.) Is that also failing, and you are simplifying the repro here? Can you try a scope like https://vault.azure.net or https://management.azure.com?
from azure-sdk-for-java.
yashpalslathia21
commented on July 20, 2024
Hi,
I need to use the workload identity flow with Azure database for MySQL
single server. I don't need to use the vault as it is not a requirement for
us.
I have followed the steps as listed in this microsoft documentation
https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster
.
Following is the code I am using to fetch AAD token -
Map<String, String> env = System.*getenv*();
String tenantId = env.get("AZURE_TENANT_ID");
String clientId = env.get("AZURE_CLIENT_ID");
String tokenFile = env.get("AZURE_FEDERATED_TOKEN_FILE");
TokenCredential managedIdentityCredential = (new
ManagedIdentityCredentialBuilder()).clientId(clientId)
.build();
String accessToken = ((AccessToken) managedIdentityCredential
.getToken((new TokenRequestContext()).addScopes(new
String[] { "https://ssp-demo-db8.mysql.database.azure.com/.default" })).
block()).getToken();
But when I am running this code as K8S pod, I am getting this error -
2024-05-10 07:44:08.990 [main] [DEBUG]
com.azure.identity.ManagedIdentityCredential - Azure Identity => Found the
following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-10 07:44:09.131 [main] [DEBUG]
com.azure.core.implementation.util.Providers - Using
com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default
com.azure.core.http.HttpClientProvider.
2024-05-10 07:44:10.636 [ForkJoinPool.commonPool-worker-1] [ERROR]
com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in
getToken() call for scopes [
https://ssp-demo-db8.mysql.database.azure.com/.default]: Managed Identity
authentication is not available.
CredentialUnavailableException: Managed Identity authentication is not
available.},
[com.azure.identity.implementation.IdentityClient.lambda$authenticateWithManagedIdentityConfidentialClient$25(IdentityClient.java:563),
reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783),
reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94),
reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:241),
reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:315),
reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:119),
reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:71),
java.base/java.util.concurrent.CompletableFuture.uniHandle(CompletableFuture.java:934),
java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(CompletableFuture.java:911),
java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510),
java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1773),
java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1760),
java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373),
java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182),
java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655),
java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622),
java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)]
Can you please help to correct or fix this issue as I have been blocked for
the last 2 weeks?
I have already opened an official case (Case *2405100030001925)* with
Microsoft for this issue and there has been no progress till now.
Regards,
Yashpal
…On Fri, May 24, 2024 at 4:17 AM Bill Wert ***@***.***> wrote:
Hello! Can you help me understand the scenario? Generally these
credentials are used in the context of one of our service clients (such as
KeyVaultClient.) Is that also failing, and you are simplifying the repro
here? Can you try a scope like https://vault.azure.net or
https://management.azure.com?
—
Reply to this email directly, view it on GitHub
<#40090 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATLYJAXECR7LDQSGOWGSS6DZDZWYBAVCNFSM6AAAAABHOHTNZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRYGE2TMNRWGQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
from azure-sdk-for-java.
roumn
commented on July 20, 2024
I had the same issue, with debugging I figured out that the workload identity did not have the appropriate rights for the requested scope.
The token exchange API (https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token) does return the following JSON body:
{
"error": "invalid_grant",
"error_description": "AADSTS501051: Application '<censored app id>'(<censored app name>) is not assigned to a role for the application 'api://<censored api id>'(<censored api name>). Trace ID: <censored trace id> Correlation ID: <censored correlation id> Timestamp: <censored timestamp>",
"error_codes": [
501051
],
"timestamp": "<censored timestamp>",
"trace_id": "<censored trace id>",
"correlation_id": "<censored correlation id>",
"error_uri": "https: //login.microsoftonline.com/error?code=501051"
}
But the azure identity library (I am using 1.12.2) does not print any error message and the response body is swallowed because the status code returned is 400, and the HttpURLConnection class, which executes this call ignores the body for this response code.
from azure-sdk-for-java.
Related Issues (20)
- [BUG] GetChatCompletionsStreamAsyncSample code not working HOT 2
- Migration directions from old azure-storage HOT 3
- [BUG] Failed to upload blob: Wrong number of arguments; expected 1, got 0 HOT 6
- [BUG] ChatRequestUserMessage content is binaryData
- [BUG] azure-core-http-netty 1.15.1 contains wrong netty.version property HOT 5
- [FEATURE REQ] add a LIVE test for oracledatabase HOT 2
- Typo "a Azure"→"an Azure" HOT 1
- Typo "a Azure"→"an Azure" HOT 1
- [BUG] PagedIterable<BlobItem> stream().paralllel() is behaving as sequential HOT 2
- [BUG] Azure Communication Service Job Router RouterValue class Deserialize Issue HOT 1
- Factory method 'openAIClient' threw exception; nested exception is java.lang.NoClassDefFoundError: reactor/util/Loggers HOT 3
- Detected an instance of Random/SplittableRandom class in the image heap HOT 2
- [BUG] Cosmos hangs forever with CosmosEndToEndOperationLatencyPolicyConfig set HOT 2
- [OpenAI] Support token calculation in streaming API
- Use an access token directly instead of token credential HOT 1
- [BUG] Azure Communication Service Job Router Java SDK having Deserialize Issue for RouterValue class HOT 3
- Receive message connection from ServiceBusProcessorClient closes due to inactivity in service bus HOT 3
- [Question] Implementing Long-Running Operations with SyncPoller HOT 3
- Change BinaryData fromObject(Object) and toObject(Class<T>) / toObject(TypeReference<T>) behavior
- OpenRewrite recipes for moving usages from azure-core to io.clientcore
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-sdk-for-java.