K
Q

Unable to use MSI with AKS on Azure

3/2/2018

I have a k8s cluster in Azure using the AKS preview.

I also have MSI enabled on the VMs. If I ssh to the VMs I can see the MSI service is working:

curl http://localhost:50342/oauth2/token --data "resource=https://vault.azure.net" -H Metadata:true

I get a response that has what you'd expect based on the documentation.

However, I cannot figure out how to get my aspnet core applications to use the AzureServiceTokenProvider as desired. Locally it works, once deployed inside a pod in kubernetes it cannot find the authorization required.

The error I get is:

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory ```

Has anyone been able to read from KeyVault in a pod using similar code?

AzureServiceTokenProvider azureServiceTokenProvider = new 
AzureServiceTokenProvider();
KVC = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var baseUrl = config.GetValue<string>("Azure:VaultURL");
var secretLocation = config.GetValue<string>("Azure:SecretLocation");
location = 
quot;{baseUrl}{secretLocation}";
KVC.GetSecretAsync(location).Result.Value;
-- Garry Polley
azure
azure-keyvault
azure-kubernetes
c#

Similar Questions

Referencing output of a template
Why does Flink use Yarn?
Kubernetes: Is it possible to have the exact same deployment descriptor for all environments including local?
How to pull image from Docker Store from Kubernetes Pod

1 Answer

4/5/2019

Do you have any familiarity with AAD Pod Identity? https://github.com/Azure/aad-pod-identity. We've been working with this in an enterprise environment and user assigned identities, as opposed to an MSI.

This approach doesn't solve your MSI problem, but it does offer an alternative which may solve your underlying issue.

-- droessmj
Source: StackOverflow