ManagedIdentityCredential authentication unavailable, no managed identity endpoint found

Asked 3/5, 2021 at 10:14 Answered 23/5, 2022 at 7:39

python azure credentials azure-keyvault azure-managed-identity

Im trying to allow an app service (python) to get secrets from azure keyvault without the usage of hardcoded client id/secrets, therefore I`m trying to use ManagedIdentity.

I have enabled system & user assigned functions in my service app
I have created a policy in vault where the service app is granted access to the secrets

code:

credentials_object = ManagedIdentityCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credentials_object)
value = client.get_secret('MYKEY').value

error (when app is deployed and when running locally):

azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.

What am I missing? Thank you!

Borlase answered 3/5, 2021 at 10:14 Comment(4)

Running locally that is expected as there is no managed identity. It's only available in Azure. What kind of App Service are you running your app in? – Rob 3/5, 2021 at 10:32

Windows or Linux? – Rob 3/5, 2021 at 10:42

Linux, inside a docker container – Borlase 3/5, 2021 at 12:39

Does it work outside of python? Please see learn.microsoft.com/en-us/azure/container-instances/… for example code to test. – Aesop 3/5, 2021 at 20:2

It's important to understand that Managed Identity feature in Azure is ONLY relevant when, in this case, the App Service is deployed. This would mean you would probably want to use DefaultAzureCredential() from the Azure.Identity library which is compatible both when running locally and for the deployed web app.

This class will run down the hierarchy of possible authentication methods and when running locally I prefer to use a service principal. Run the following in Azure CLI to create a service principal: az ad sp create-for-rbac --name localtest-sp-rbac --skip-assignment. You then add the service principal localtest-sp-rbac in the IAM for the required Azure services.

I recommend reading this article for more information and how to configure your local environment: https://learn.microsoft.com/en-us/azure/developer/python/configure-local-development-environment

You can see the list of credential types that DefaultAzureCredential() goes through in the Azure docs.

Accroach answered 11/5, 2021 at 18:17 Comment(2)

Thank you. My problem is that altough im using either "ManagedIdentityCredential" or "DefaultAzureCredential", I simply can not get access when the app is deployed. Therefore gaining access locally is not the issue at this point. – Borlase 17/5, 2021 at 7:22

Also we need to assign managed identity to Azure resource (ex: Function App). – Mccaskill 3/12, 2022 at 14:10

In my case, it was the issue of having multiple Managed Identities attached to my VMs. I am trying to access Azure Storage Account from AKS using ManagedIdentityCredential. When I specified the client_id of the MI as:

credentials_object  = ManagedIdentityCredential(client_id='XXXXXXXXXXXX')

it started to work! It's also mentioned in here that we need to specify the client_id of the MI if the VM or VMSS has multiple identities attached to it.

Karlee answered 23/5, 2022 at 7:39 Comment(1)

I can confirm this works in node, thanks ! I had only one User Assigned MI for my app, but this solved the issue in my case. – Concatenate 14/9, 2022 at 13:44

Recommended topics

Hot tags