ManagedIdentityCredential - Azure Arc MSI: To authenticate with Azure Arc MSI, status code 401 is expected on the first request #54
Description
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
- Write an app using the JS SDK (the services I'm using are Azure OpenAI and Azure AI Search, both failed in the same way): https://learn.microsoft.com/en-us/javascript/api/overview/azure/identity-readme?view=azure-node-latest
- Build the app in docker, my compose file looks like
services:
my-app:
build: .
depends_on:
- azure-cli-proxy
environment:
- "IDENTITY_ENDPOINT=http://azure-cli-proxy:8080/token"
- "IMDS_ENDPOINT=dummy_required_value"
azure-cli-proxy:
image: workleap/azure-cli-credentials-proxy:1.1.0
ports:
- "8080:8080"
volumes:
- "$HOME/.azure:/app/.azure/"- Click on '....'
- See error
slack-help-bot-1 | /opt/app/node_modules/@azure/identity/dist/index.js:2747
slack-help-bot-1 | throw new AuthenticationError(err.statusCode, {
slack-help-bot-1 | ^
slack-help-bot-1 |
slack-help-bot-1 | AuthenticationError: ManagedIdentityCredential authentication failed. Status code: 200
slack-help-bot-1 | More details:
slack-help-bot-1 | unknown_error Status code: 200
slack-help-bot-1 | More details:
slack-help-bot-1 | An unknown error has occurred. Response body:
slack-help-bot-1 |
slack-help-bot-1 | ManagedIdentityCredential - Azure Arc MSI: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. Response: {"access_token":"...", "expiresOn":"2024-07-24T16:25:17.0000000+00:00","expires_on":"1721838317","tokenType":"Bearer","resource":"https://cognitiveservices.azure.com"}
slack-help-bot-1 | at LegacyMsiProvider.getToken (/opt/app/node_modules/@azure/identity/dist/index.js:2747:19)
slack-help-bot-1 | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
slack-help-bot-1 | at async /opt/app/node_modules/@azure/identity/dist/index.js:3473:29
slack-help-bot-1 | at async Object.withSpan (/opt/app/node_modules/@azure/core-tracing/dist/index.js:140:28)
slack-help-bot-1 | at async DefaultAzureCredential.getToken (/opt/app/node_modules/@azure/identity/dist/index.js:3463:27)
slack-help-bot-1 | at async tryGetAccessToken (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:1997:32)
slack-help-bot-1 | at async beginRefresh (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2005:17)
slack-help-bot-1 | at async Object.defaultAuthorizeRequest [as authorizeRequest] (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2128:25)
slack-help-bot-1 | at async Object.sendRequest (/opt/app/node_modules/@azure/core-rest-pipeline/dist/index.js:2179:13)
slack-help-bot-1 | at async AzureOpenAI.getRefreshedToken [as _azureADTokenProvider] (/opt/app/node_modules/@azure/identity/dist/index.js:4413:21)
slack-help-bot-1 | at async AzureOpenAI._getAzureADToken (/opt/app/node_modules/openai/index.js:221:27)
slack-help-bot-1 | at async AzureOpenAI.prepareOptions (/opt/app/node_modules/openai/index.js:236:23)
slack-help-bot-1 | at async AzureOpenAI.makeRequest (/opt/app/node_modules/openai/core.js:285:9)
slack-help-bot-1 | at async analyticsRecommendations (/opt/app/src/ai/ai.js:26:18)
Expected behavior
Documented option should work out of the box
Screenshots
If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
- OS: Mac
- Version: 1.1.0
- azure/identity SDK: 4.40
Additional context
I also tried:
environment:
- "IDENTITY_ENDPOINT=http://azure-cli-proxy:8080/token"
- "IMDS_ENDPOINT=dummy_required_value"
- "MSI_ENDPOINT=http://azure-cli-proxy:8080/token"After reading the source code of the Azure SDK and looking at what triggered each MSI type of lookup I removed IDENTITY_ENDPOINT and IMDS_ENDPOINT to have a file that looks like:
services:
my-app:
build: .
depends_on:
- azure-cli-proxy
environment:
- "MSI_ENDPOINT=http://azure-cli-proxy:8080/token"
azure-cli-proxy:
image: workleap/azure-cli-credentials-proxy:1.1.0
ports:
- "8080:8080"
volumes:
- "$HOME/.azure:/app/.azure/"
#- "\\\\wsl$\\<DISTRONAME>\\home\\<USERNAME>\\.azure\\:/app/.azure/" # Uncomment on Windows with WSLand that worked.
I'm not sure how generic across the SDKs the solution is but if it works across multiple then maybe just MSI_ENDPOINT should be specified?
My app just uses the Default Token credential that is recommended.