From 9896d12a991c3435f7b02dbc51c20b0bbea46b2e Mon Sep 17 00:00:00 2001
From: Charles Lowell <10964656+chlowell@users.noreply.github.com>
Date: Wed, 14 Jun 2023 10:50:24 -0700
Subject: [PATCH] Add managed identity timeout to troubleshooting guide
---
sdk/azidentity/TROUBLESHOOTING.md | 2 ++
sdk/azidentity/default_azure_credential.go | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/sdk/azidentity/TROUBLESHOOTING.md b/sdk/azidentity/TROUBLESHOOTING.md
index 7b7515ebac22..fef099813c87 100644
--- a/sdk/azidentity/TROUBLESHOOTING.md
+++ b/sdk/azidentity/TROUBLESHOOTING.md
@@ -76,12 +76,14 @@ azlog.SetListener(func(event azlog.Event, s string) {
azlog.SetEvents(azidentity.EventAuthentication)
```
+
## Troubleshoot DefaultAzureCredential authentication issues
| Error |Description| Mitigation |
|---|---|---|
|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|- [Enable logging](#enable-and-configure-logging) to get further diagnostic information.
- Consult the troubleshooting guide for underlying credential types for more information.
- [EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)
- [ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)
- [AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)
|
|Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|- [Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.
- If an unexpected credential is returning a token, check application configuration such as environment variables.
- Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.
|
+|"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
## Troubleshoot EnvironmentCredential authentication issues
diff --git a/sdk/azidentity/default_azure_credential.go b/sdk/azidentity/default_azure_credential.go
index 1e3efdc97a96..40fcb94ec3fb 100644
--- a/sdk/azidentity/default_azure_credential.go
+++ b/sdk/azidentity/default_azure_credential.go
@@ -185,7 +185,7 @@ func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestO
defer cancel()
tk, err = w.mic.GetToken(c, opts)
if isAuthFailedDueToContext(err) {
- err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
+ err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information")
} else {
// some managed identity implementation is available, so don't apply the timeout to future calls
w.timeout = 0