2

Scenario/repro

I have multicontainer (tutorial here) azure web app. I assigned System Assigned identity to my web app. There are two containers in my docker compose:

  • Net core WebApi container
  • Antivirus ClamAv container

Everything had worked fine (my API is using antivirus to scan files) till the moment I add key vault Configuration provider with Managed Identity for Azure resources (link). This works perfectly with my standard web apps on linux.

// Program.cs
.ConfigureAppConfiguration((context, config) =>
{
  if (context.HostingEnvironment.IsProduction())
  {
    var builtConfig = config.Build();
    var secretClient = new SecretClient(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
    new DefaultAzureCredential());
    config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
  }
})

Problem My API returns 503 status code. It seems that I need to do some extra configuration to make it work with Docker compose.

EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
2021-06-14T11:42:46.912167603Z - ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
2021-06-14T11:42:46.912175503Z - Operating system Linux 5.4.0-1031-azure #32~18.04.1-Ubuntu SMP Tue Oct 6 10:03:22 UTC 2020 isn't supported.
2021-06-14T11:42:46.912183204Z - Stored credentials not found. Need to authenticate user in VSCode Azure Account.
2021-06-14T11:42:46.912190304Z - Azure CLI not installed
2021-06-14T11:42:46.912197204Z - PowerShell is not installed.
2021-06-14T11:42:46.912205004Z ---> System.AggregateException: Multiple exceptions were encountered 
...
Azure.Identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
...
Azure.Identity.CredentialUnavailableException: Operating system Linux 5.4.0-1031-azure #32~18.04.1-Ubuntu SMP Tue Oct 6 10:03:22 UTC 2020 isn't supported.

It seems that this feature is not fully supported. Any idea how to use key vault proivder in such scenario?

Improve this question
4
  • Please confirm if you have granted get and list permissions to the Managed Identity on the key vault secret resources. Here is the snippet from the tutorial you mentioned in your post: az keyvault set-policy --name {KEY VAULT NAME} --object-id {OBJECT ID} --secret-permissions get list Commented Jun 14, 2021 at 14:42
  • Yes I did. As I mentioned this works perfectly with my standard web apps. The problem is with docker compose apps. Exception details says that error is in web app environment. Commented Jun 14, 2021 at 15:44
  • Check if this helps: stackoverflow.com/questions/62817337/… Commented Jun 14, 2021 at 16:15
  • Web app environment set this variables on its own. It is not visible by user e.g. in Kudu Commented Jun 14, 2021 at 16:32

1 Answer 1

Reset to default
2

Managed identities are not supported in multicontainer apps. See: https://learn.microsoft.com/en-us/answers/questions/118045/are-managed-identities-for-multi-container-webapps.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.