Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Managed Identity: DefaultAzureCredential authentication failed #248

Open
dlaatheijmans opened this issue Nov 21, 2024 · 1 comment
Open

Error: Managed Identity: DefaultAzureCredential authentication failed #248

dlaatheijmans opened this issue Nov 21, 2024 · 1 comment

Comments

@dlaatheijmans
Copy link

dlaatheijmans commented Nov 21, 2024
edited
Loading

Hello,

I'm encountering an issue when trying to use a Managed Identity with a Federated Credential in GitHub Actions to run azure/[email protected]. The Managed Identity has been configured with a Federated Credential for GitHub (environment).

I added my Managed Identity to the database as db_owner, with the following query:

DROP USER IF EXISTS [ManagedIdentity-Dev];
CREATE USER [ManagedIdentity-Dev] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo];
ALTER ROLE db_owner ADD MEMBER [ManagedIdentity-Dev];

Here is my GitHub Actions workflow (.yml file):

    create-sql-users:
      runs-on:
        group: github-runner-Dev
      environment: ${{ inputs.environment }}
      steps:
        - uses: actions/checkout@main
        - uses: azure/login@v2
          with:
            client-id: ${{ vars.AZURE_CLIENT_ID }} # The Managed Identity with Federated Credential
            tenant-id: ${{ vars.AZURE_TENANT_ID }}
            subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
        - uses: azure/[email protected]
          with:
            connection-string: ${{ secrets.AZURE_SQL_CONNECTION_STRING }}
            path: './.github/sql/users.sql'
            skip-firewall-check: true

Issue:

When the workflow runs, I receive the following error message:

sqlcmd -S mydatabase-dev.database.windows.net,1433 -d mydatabase-dev --authentication-method=ActiveDirectoryDefault -i ./.github/sql/users.sql
DefaultAzureCredential authentication failed
GET http://localhost:42356/msi/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
  "statusCode": 400,
  "message": "No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.",
  "correlationId": "86d82795-065e-4a71-a11c-12a10e7879d0"
}

Am I missing something?
@dlaatheijmans
Copy link
Author

dlaatheijmans commented Nov 21, 2024
edited
Loading

The error message was on my screen all the time: GET http://localhost:42356/msi/token. Apparantly, when deploying from Github Actions in a Azure Container Instance, the token endpoint is set wrong.

I added this to my yaml, and it started working:

  env:
    IDENTITY_ENDPOINT: http://169.254.169.254:42356/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dlaatheijmans