Add managed identity timeout to troubleshooting guide (#21018)

Azure · Jun 14, 2023 · a98f12e · a98f12e
1 parent f2beb36
commit a98f12e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/sdk/azidentity/TROUBLESHOOTING.md b/sdk/azidentity/TROUBLESHOOTING.md
@@ -76,12 +76,14 @@ azlog.SetListener(func(event azlog.Event, s string) {
 azlog.SetEvents(azidentity.EventAuthentication)
 ```
 
+<a id="dac"></a>
 ## Troubleshoot DefaultAzureCredential authentication issues
 
 | Error |Description| Mitigation |
 |---|---|---|
 |"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
 |Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
+|"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
 
 ## Troubleshoot EnvironmentCredential authentication issues
 

diff --git a/sdk/azidentity/default_azure_credential.go b/sdk/azidentity/default_azure_credential.go
@@ -185,7 +185,7 @@ func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestO
  defer cancel()
  tk, err = w.mic.GetToken(c, opts)
  if isAuthFailedDueToContext(err) {
- err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
+ err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information")
  } else {
  // some managed identity implementation is available, so don't apply the timeout to future calls
  w.timeout = 0