3

This question refers to the article:

https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity

I'm trying to figure out how I can simulate using the service principal that is generate for my azure application to work locally.

I followed the article and when I deploy azure function to azure and run it from there, I'm able to successfully use the MSI_ENDPOINT and the MSI_SECRET to successfully get the token. However, when i run the same deployment locally it fails. I use the exact same MSI_SECRET and change the MSI_ENDPOINT to the Domain that I use to the azure function endpoint.

Example: On azure the MSI_ENDPOINT = http://127.0.0.1:41831 and locally it is http://localhost:7071 (http://0.0.0.0:7071

However, when I run it locally I get a 404 error with the request. The request is http://0.0.0.0:7071/MSI/token?resource=https://vault.azure.net&api-version=2017-09-01 with the secret in the header. Exact same params with the working one loaded on azure except for the MSI_ENDPOINT.

Any advice on how to address this so I can run and test locally?

Using the Microsoft.Azure.Services.AppAuthentication library for .NET for .NET applications and functions, the simplest way to work with a managed identity is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the Azure CLI, or Active Directory Integrated Authentication. For more on local development options with this library, see the Microsoft.Azure.Services.AppAuthentication reference. This section shows you how to get started with the library in your code. Add references to the Microsoft.Azure.Services.AppAuthentication and Microsoft.Azure.KeyVault NuGet packages to your application.

However, this library is only available in .net which i'm not using and does not really explain how you would do it via REST call.

Thanks!

4c74356b41
  • 59,484
  • 5
  • 63
  • 109
darewreck
  • 2,375
  • 4
  • 33
  • 61

1 Answers1

1

As far as I understand, MSI via REST works for you in the cloud, but not locally.

Unfortunately, it seems this is currently not easily possible when you can't use the AppAuthentication library. See this GitHub suggestion.

So if you don't want to hack some debug code into your production code, you probably need to host a "custom MSI proxy" locally which just performs the classic authentication via client credentials (appId + secret) to return the token.

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https%3A%2F%2Fvault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

Note that I added the KeyVault as the resource parameter. See your built MSI URL - http://0.0.0.0:7071/MSI/token?resource=https://vault.azure.net&api-version=2017-09-01

Alex AIT
  • 10,190
  • 3
  • 23
  • 49
  • Thanks Alex, However, in this case, i'm using an azure function. What would the client_id or even app id be since i'm using the consumption plan and it's attached to any app. – darewreck Oct 06 '18 at 17:38
  • It should be the ID of your service principal(guid). – Alex AIT Oct 06 '18 at 18:18
  • with azure functions, the only way that i'm able to get the service principal is by printing out the MSI_SECRET since the way you enable it is by just switching a toggle button in the azure function settings. However, since that is system defined would it change? It feels inaccurate to grab the key that way. Any suggestion on how to properly grab the service principal secret for azure functions? – darewreck Oct 07 '18 at 16:35
  • I'm getting the following error when I try: Application with identifier was not found in the directory . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. In this case, i grabbed the tenantId and principalId from the azure function property -> platform feature -> resource explorer there is a section called "identity" where is has (type, tenandid, principalId). – darewreck Oct 08 '18 at 17:54