-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Azure Function with UserAssigned ManagedIdentity has a 16% chance to result in Azure.Identity.CredentialUnavailableException #10238
Comments
@jsquire is this related to? #8037 As mentioned, I need to set the property IMO I'd have much better dev experience if I did not need to fiddle with any environment variables or anything during PS. In case this is not the right place, please redirect me. |
@1oglop1 : You'll need to address that question to a member of the Functions team, who own the Functions host environment. This is the correct repository for those conversations, which is why I transferred this issue here. |
I'm having the same problem but just with a System Managed Identity. Works fine on a staging slot but fails intermittently on the production slot with this exception:
This endpoint is unreachable and it should be using the one defined in the |
@richlander, @liliankasem, @fabiocav Can we get someone to look at this? This is preventing function apps from using more secure methods (managed identities) to connect to other Azure services instead of user/pass connection strings. I'm running a pretty big function app on a consumption plan using .NET 9 Isolated workers which is configured for System Managed Identity, and random instances of the function fail to run SQL queries since the required function host environment variables do not seem to be properly propagated to the function process. In this case specifically the In our function startup we run this snippet to see if the variable is missing and we get this error logged for some function processes and some not so something is broken during host/process startup here. if (string.IsNullOrEmpty(Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT")))
{
logger.LogError("Required environment variable IDENTITY_ENDPOINT is missing! We will be unable to use System Managed Identity connections to external services!");
} |
Issue Transfer
This issue has been transferred from the Azure SDK for .NET repository, #44693.
Please be aware that @nols-neulsen is the author of the original issue and include them for any questions or replies.
Azure SDK triage
The error indicates that the local managed identity endpoint on the host is unavailable or inaccessible to HTTP traffic when the application starts running and the Identity library attempts to acquire a token. This is not something that the credential or the application has insight into nor influence over. This requires investigation of host environment.
Details
Describe the bug
I have a Windows hosted Function App (Consumption plan) with a single HTTP trigger function.
This function will initialize an ArmClient, using ManagedIdentityCredential, to spawn Container App Jobs.
From a test (902 invocations) this function only succeeds 84% of the time, the other 16% fails due to Azure.Identity.CredentialUnavailableException.
Running locally, everything works 100% of the time if I provide a AzureCliCredential, VisualStudioCredential (with Sync is active) seems to also not work all the time.
Function App:
Packages:
User Assigned Managed Identity role assignments:
Code:
Error:
Expected behavior
Retrieving the credential succeeds 100%
Actual behavior
In 16% of the cases the execution fails due to Azure.Identity.CredentialUnavailableException
Reproduction Steps
Hosting info and code provided in bug description
The text was updated successfully, but these errors were encountered: