Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId #2148

Open
amirj opened this issue Nov 12, 2024 · 1 comment
Open

No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId #2148

amirj opened this issue Nov 12, 2024 · 1 comment

Comments

@amirj
Copy link

amirj commented Nov 12, 2024

My app is running perfectly locally and communicate with Azure resources but the deployed app is having the following exception once generating the answer:

2024-11-12T16:31:05.845514845Z 2024-11-12 16:31:05,845 - INFO - Setting up Azure credential using ManagedIdentityCredential
2024-11-12T16:31:05.846747156Z 2024-11-12 16:31:05,846 - INFO - Setting up Azure credential using ManagedIdentityCredential with client_id xxxxxx
...
2024-11-12T16:43:01.948261341Z 2024-11-12 16:43:01,947 - WARNING - AppServiceCredential.get_token failed: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948297042Z Code: None
2024-11-12T16:43:01.948302642Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948307342Z 2024-11-12 16:43:01,948 - WARNING - ManagedIdentityCredential.get_token failed: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948311942Z Code: None
2024-11-12T16:43:01.948333642Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951917774Z 2024-11-12 16:43:01,948 - ERROR - Exception while generating response stream: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951970374Z Code: None
2024-11-12T16:43:01.951977974Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951982974Z Traceback (most recent call last):
2024-11-12T16:43:01.951986875Z   File "/tmp/8dd030b56bad4dd/app.py", line 200, in format_as_ndjson
2024-11-12T16:43:01.951991075Z     async for event in r:
2024-11-12T16:43:01.951994675Z   File "/tmp/8dd030b56bad4dd/approaches/chatapproach.py", line 113, in run_with_streaming
2024-11-12T16:43:01.951998975Z     extra_info, chat_coroutine = await self.run_until_final_call(
2024-11-12T16:43:01.952002975Z                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952006975Z   File "/tmp/8dd030b56bad4dd/approaches/chatreadretrieveread.py", line 159, in run_until_final_call
2024-11-12T16:43:01.952011275Z     results = await self.search(
2024-11-12T16:43:01.952015475Z               ^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952019975Z   File "/tmp/8dd030b56bad4dd/approaches/approach.py", line 175, in search
2024-11-12T16:43:01.952023975Z     async for page in results.by_page():
2024-11-12T16:43:01.952027775Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/async_paging.py", line 94, in __anext__
2024-11-12T16:43:01.952032375Z     self._response = await self._get_next(self.continuation_token)
2024-11-12T16:43:01.952191776Z                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952205476Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/search/documents/aio/_paging.py", line 109, in _get_next_cb
2024-11-12T16:43:01.952211477Z     return await self._client.documents.search_post(search_request=self._initial_query.request, **self._kwargs)
2024-11-12T16:43:01.952216777Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952221277Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 105, in wrapper_use_tracer
2024-11-12T16:43:01.952234477Z     return await func(*args, **kwargs)
2024-11-12T16:43:01.952239077Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952242977Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/search/documents/_generated/aio/operations/_documents_operations.py", line 400, in search_post
2024-11-12T16:43:01.952246777Z     pipeline_response: PipelineResponse = await self._client._pipeline.run(  # pylint: disable=protected-access
2024-11-12T16:43:01.952252277Z                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952264477Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 219, in run
2024-11-12T16:43:01.952268877Z     return await first_node.send(pipeline_request)
2024-11-12T16:43:01.952272877Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952277177Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952281077Z     response = await self.next.send(request)
2024-11-12T16:43:01.952284677Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952288277Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952292477Z     response = await self.next.send(request)
2024-11-12T16:43:01.952297077Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952302077Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952306177Z     response = await self.next.send(request)
2024-11-12T16:43:01.952309877Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952313577Z   [Previous line repeated 2 more times]
2024-11-12T16:43:01.952317977Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_redirect_async.py", line 73, in send
2024-11-12T16:43:01.952322078Z     response = await self.next.send(request)
2024-11-12T16:43:01.952325678Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952329378Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry_async.py", line 180, in send
2024-11-12T16:43:01.952333178Z     response = await self.next.send(request)
2024-11-12T16:43:01.952336878Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952340978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 98, in send
2024-11-12T16:43:01.952345078Z     await await_result(self.on_request, request)
2024-11-12T16:43:01.952348978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
2024-11-12T16:43:01.952353578Z     return await result
2024-11-12T16:43:01.952357478Z            ^^^^^^^^^^^^
2024-11-12T16:43:01.952361178Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 70, in on_request
2024-11-12T16:43:01.952365278Z     self._token = await await_result(self._credential.get_token, *self._scopes)
2024-11-12T16:43:01.952370178Z                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952374678Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
2024-11-12T16:43:01.952386578Z     return await result
2024-11-12T16:43:01.952391178Z            ^^^^^^^^^^^^
2024-11-12T16:43:01.952395478Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper
2024-11-12T16:43:01.952401178Z     token = await fn(*args, **kwargs)
2024-11-12T16:43:01.952406478Z             ^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952411478Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_credentials/managed_identity.py", line 141, in get_token
2024-11-12T16:43:01.952417178Z     return await self._credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
2024-11-12T16:43:01.952422478Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952427978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 49, in get_token
2024-11-12T16:43:01.952433579Z     return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
2024-11-12T16:43:01.952438879Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952444179Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/get_token_mixin.py", line 93, in get_token
2024-11-12T16:43:01.952449879Z     token = await self._request_token(
2024-11-12T16:43:01.952455179Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952460479Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 57, in _request_token
2024-11-12T16:43:01.952464979Z     return await cast(AsyncManagedIdentityClient, self._client).request_token(*scopes, **kwargs)
2024-11-12T16:43:01.952468979Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952472679Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_client.py", line 35, in request_token
2024-11-12T16:43:01.952476479Z     token = self._process_response(response, request_time)
2024-11-12T16:43:01.952480079Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952484579Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/_internal/managed_identity_client.py", line 63, in _process_response
2024-11-12T16:43:01.952488679Z     raise ClientAuthenticationError(
2024-11-12T16:43:01.952492279Z azure.core.exceptions.ClientAuthenticationError: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.952496679Z Code: None
2024-11-12T16:43:01.952501879Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.

I'm sure that the provided AZURE_CLIENT_ID has access to my search service with role AI Search Contributor and Search Index Data Contributor.

Looking at the app code it seems that it's only using AZURE_CLIENT_ID without any secret? How's it working?

azure_credential = ManagedIdentityCredential(client_id=AZURE_CLIENT_ID)

Could you help me to understood how's the above ManagedIdentityCredential is working please?
@pamelafox
Copy link
Collaborator

The app uses Managed identity with user-assigned identity for the Azure Container App, and infra/main.bicep sets all the roles so that the Container App has all the access needed for the services. No secret is needed when using managed identity on an Azure host like App Service or Container Apps. If you deploy with "azd up", all of the roles and identities should have been set up for you. If you did not, you'll need to check the Bicep and ensure that you have the same identities and role setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pamelafox @amirj