Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] wrong status for actuator health check for storage-queue when using user-assigned managed id #43650

Open
3 tasks done
davidkarlsen opened this issue Dec 30, 2024 · 1 comment
Open
3 tasks done

[BUG] wrong status for actuator health check for storage-queue when using user-assigned managed id #43650

davidkarlsen opened this issue Dec 30, 2024 · 1 comment
Labels
azure-spring All azure-spring related issues customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@davidkarlsen
Copy link

davidkarlsen commented Dec 30, 2024
edited
Loading

Describe the bug
When using user-assigned managed identity, the health actuator health-check for a storage-queue will show as failing although it actually works just fine.

library:

 <dependency>
      <groupId>com.azure.spring</groupId>
      <artifactId>spring-cloud-azure-starter-storage-queue</artifactId>
    </dependency>

Exception or Stack Trace
Error message from actuator:

error: "com.azure.storage.queue.models.QueueStorageException: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.
If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.
Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.
If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.
If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.
Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.
Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:20c6e971-3003-002d-3d62-5ada0c000000
Time:2024-12-30T02:26:59.8418564Z</Message></Error>""
}

To Reproduce

Code Snippet
IAC code injecting env-vars:

AZURE_TENANT_ID                                               = data.azurerm_client_config.current.tenant_id
    AZURE_CLIENT_ID                                               = data.azurerm_user_assigned_identity.app.client_id
    SPRING_CLOUD_AZURE_CREDENTIAL_CLIENT_ID                       = data.azurerm_user_assigned_identity.app.client_id
    SPRING_CLOUD_AZURE_CREDENTIAL_MANAGED_IDENTITY_ENABLED        = "true"
    SPRING_CLOUD_AZURE_STORAGE_ACCOUNTNAME                        = var.storage_account.name
    SPRING_CLOUD_AZURE_STORAGE_BLOB_ENDPOINT                      = data.azurerm_storage_account.this.primary_blob_endpoint
    SPRING_CLOUD_AZURE_STORAGE_QUEUE_ENDPOINT                     = data.azurerm_storage_account.this.primary_queue_endpoint
    SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_ENDPOINT = var.key_vault.uri
    SPRING_DATASOURCE_URL                                         = var.jdbc_url

and section from application.yaml:

  cloud:
    azure:
      storage:
        blob:
          container-name: customerfiles
        queue:
          queue-name: fileuploadevents
          message-encoding: none

Expected behavior
The health check should pass

Screenshots
N/A

Setup (please complete the following information):

  • OS: [e.g. iOS], Linux
  • IDE: [e.g. IntelliJ] N/A
  • Library/Libraries: [e.g. com.azure:azure-core:1.16.0 (groupId:artifactId:version)] SDK 5.19.0, using the spring cloud azure starter
  • Java version: [e.g. 8] 21
  • App Server/Environment: [e.g. Tomcat, WildFly, Azure Function, Apache Spark, Databricks, IDE plugin or anything special], embedded tomcat in a container running on appservice
  • Frameworks: [e.g. Spring Boot, Micronaut, Quarkus, etc] spring boot

If you suspect a dependency version mismatch (e.g. you see NoClassDefFoundError, NoSuchMethodError or similar), please check out Troubleshoot dependency version conflict article first. If it doesn't provide solution for the problem, please provide:

  • verbose dependency tree (mvn dependency:tree -Dverbose)
  • exception message, full stack trace, and any available logs

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Dec 30, 2024
@davidkarlsen davidkarlsen changed the title [BUG] wrong status for [BUG] wrong status for actuator health check for storage-queue when using user-assigned managed id Dec 30, 2024
@jairmyree jairmyree added the azure-spring All azure-spring related issues label Dec 31, 2024
@github-actions github-actions bot removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Dec 31, 2024
@jairmyree
Copy link
Member

@davidkarlsen Thank you for reaching out. @moarychan Could you please look into this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
azure-spring All azure-spring related issues customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Spring Cloud Azure
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidkarlsen @jairmyree