-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] regression in sdk 5.18.0 wrt managed id #42979
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
Same problem. Here is the stacktrace:
|
@davidkarlsen, Add this dependency to your app, to proactively pull it into your app. <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.14.2</version>
</dependency> Let us know if the issue still persists. |
Nah, still get:
|
Any progress? |
@davidkarlsen What version were you on before you upgraded to 5.18.0? |
Hi @davidkarlsen. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@billwert 5.17.1 |
@davidkarlsen Can you also share a sample spring app to help reproduce this issue ? |
@davidkarlsen could you try with the latest version 5.19.0 to see whether the issue still exist? |
No, still fails:
|
Full stacktrace:
|
@g2vinay see initial post for enough details to repro. Basically add kv starter as described and the env-vars. |
Also note that this is used as a property placeholder/property source (java.lang.IllegalStateException: Failed to configure KeyVault property source 'azure-key-vault-secret-property-source-0') - these happen early in the framework initialization - so perhaps the properties are not bound yet - but surely you must have tested this. So to sum up:
|
Hi @davidkarlsen, you are using the user assigned MI in app service right? |
@saragluna correct. actually the app service has two identities (one is common across many apps to pull ACR images) - the other is the identity of the application itself - and that identity is what is injected via the relevant env-vars as described. |
Hi @davidkarlsen , thanks for using Spring Cloud Azure! I cannot reproduce the exception, I used the below configuration and can get the secret successfully. spring:
cloud:
azure:
keyvault:
secret:
property-source-enabled: true
property-sources:
- name: keyvault
endpoint: https://<your-keyvault-name>.vault.azure.net/
credential:
managed-identity-enabled: true
client-id: <your-user-managed-identity-client-id> If I do not add the user managed identity for Web App, then will meet the similar exception, this is because the target internal IP is not available, the root cause is You listed the environment variables are not correct, but your app works fine before 5.18.0, I assumed the managed identity used by the keyvault property source is the system managed identity, please update the envs with below names:
I hope to use the latest version and double check whether the user managed identity used by the keyvault property source has been added to the Web App. If you select to use system managed identity, please enable system managed identity and remove |
Thanks - now it works - but something has changed here since it broke between the two versions. |
Glad to hear that! We provided the CHANGELOG for each version, there's no migration/upgrade doc for minor version. It takes some time to get in step with Spring Cloud Azure doc! |
@davidkarlsen, we did fix a bug which we didn't mention in the changelog. The approach we used to resolve a token credential for each SDK client is that:
When setting these envs:
The token credential resolved for KV property source should be a system assigned managed identity, option 2. Because the However, after the bug was fixed, it is now only option 2. So that after setting the client id it works. |
Describe the bug
Env-vars from Iac looks like:
which worked fine on v<5.18, now breaks with:
2024-11-16T18:02:49.589413643Z Caused by: com.microsoft.aad.msal4j.MsalServiceException: [Managed Identity] Error Message: Unable to load the proper Managed Identity. Managed Identity Correlation xxx
Exception or Stack Trace
2024-11-16T18:02:49.589413643Z Caused by: com.microsoft.aad.msal4j.MsalServiceException: [Managed Identity] Error Message: Unable to load the proper Managed Identity. Managed Identity Correlation xxx
To Reproduce
See description and upgrade to 5.18
Code Snippet
Add the code snippet that causes the issue.
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Setup (please complete the following information):
If you suspect a dependency version mismatch (e.g. you see
NoClassDefFoundError
,NoSuchMethodError
or similar), please check out Troubleshoot dependency version conflict article first. If it doesn't provide solution for the problem, please provide:mvn dependency:tree -Dverbose
)Additional context
Add any other context about the problem here.
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: