Node.js access keyvault failure #23331
Comments
ghost
added
needs-triage
xirzec
added
Client
ghost
removed
the
needs-triage
azure-sdk
added
Azure.Identity
needs-team-triage
xirzec
removed
the
needs-team-triage
|
Looks like |
|
@xirzec |
|
Hi @yzhengamat! I may be missing something, but I can't actually see any errors in your output. The line is not actually an error: it's just a property on Regardless, I assume that getting the secret is failing for one reason or another, otherwise you wouldn't be here! Is there any other output that might be of use (e.g. maybe you are catching an error in your try/catch that you can log)? |
|
Whoops, thanks @timovv for pointing out the above logs are literally the DefaultAzureCredential and SecretClient being logged as objects |
|
The catch block get following error.message: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400\nMore details:\nendpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter. //The link "https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot" in the above message was not helpful to me |
|
@yzhengamat there were some recent changes in Identity that I think might be affecting this. Could you try the latest version of |
|
After updated to version 3.0.0 and npm install again, I still get exact same exception error message as above. |
Thanks for trying it. My next question is are you using a government cloud? |
|
@xirzec not goverment cloud |
|
Any updates to this? I'm running into the same issue, using EnvironmentCredential and I've verified that AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET is correct. |
|
@KarishmaGhiya @schaabs do either of you know anything about this |
|
@yzhengamat @dyuan-boxlabs circling back on this, can you try enabling logging? https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md#logging When using a whereupon I can see MSAL do the credential request: I'm curious if you see a similar auth dance happening and what endpoints are being accessed before the error is thrown. |
xirzec
added
the
needs-author-feedback
|
Hi Jeff, here are the logs with AZURE_LOG_INFO set to info [Nest] 22316 - 11/06/2022, 10:26:06 PM LOG [NestFactory] Starting Nest application... |
timovv
removed
the
needs-author-feedback
|
Hi @dyuan-boxlabs, thanks for providing the logs. Is there anything in your network configuration that could be getting in the way of authentication, e.g. a proxy? |
|
@timovv Hi Tim, no there is no proxy. I went through the Azure support desk and a support engineer confirmed that my set up was not using a proxy and sent these logs to the dev team. |
|
@dyuan-boxlabs Can you try passing in the |
|
From the logs we can see this is blowing up inside of MSAL. Looking carefully at the error and noticing that it comes right after we hit the discovery endpoint, I believe it is being thrown from here: The inner error I believe is coming from here: Which seems to indicate that it's not getting back the cloud discovery metadata from the network, which means that this method is returning null for some reason: We see the request going out and it is getting back a 200, so at this point I'm not sure why it would be failing without getting our hands on the actual body of that response and seeing what it contains. |
|
The root cause seems to be:
Let me try to describe what endpoint resolution means. There are 2 concepts to be aware of:
Anyway, seems like a bug occurs when the list of alisases (as mentioned by @dyuan-boxlabs above) is retrieved. |
|
I don't think we have enough info at this point to fully understand what is happning. I would think that this error is thrown wrongly and it simply masks the underlying cause. Would it be possible to get verbose logs @dyuan-boxlabs ? If you are concerned about PII here on GitHub, please send the logs directly to me - bogavril at microsoft com |
|
@bgavrilMS sent you an email with the logs |
|
@dyuan-boxlabs We're taking a look at this, but in the meantime, can you change your DefaultAzureCredential config to look like the following? Re-run your app with this and let me know if you see the same error or a different one. I was looking at this example here for how to add "knownAuthorities" to the config (scroll down to "The following example demonstrates authenticating a SecretClient from the @azure/keyvault-secrets against an Azure Key Vault hosted in Azure Stack."). |
|
@Robbie-Microsoft Hi Robbie, tried adding the authorityHost - didn't work. If you give me your microsoft email I can send you the verbose logs. |
|
@dyuan-boxlabs Please send it to @bgavrilMS, he will forward it to me. |
|
@Robbie-Microsoft sent the logs to @bgavrilMS |
|
What does the following mean exactly?
|
|
Seems unrelated @deyaaeldeen ? Pls open a new issue. |
|
@bgavrilMS I see it in the log in #23331 (comment). |
xirzec
added
bug
ghost
added
the
needs-team-attention
|
@KarishmaGhiya - MSAL JS fixed the underlying issue, it was in the HTTP stack. Next step would be for Azure Identity to bump the version of MSAL I think. Not sure if this will fix it because Azure Identity uses its own HTTP stack. But @Robbie-Microsoft can provide some context on how we fixed it on our side if needed. |
|
@KarishmaGhiya Can you please confirm if this issue has been addressed? |
|
Looks like I need to bump the version of msal to 1.16.0 and do a bug fix release of @azure/identity. Will update the status here when released., this week |
|
Fixed in #26257 |
|
@yzhengamat Please use @azure/identity version 3.2.3 to get the bug fix. https://www.npmjs.com/package/@azure/identity/v/3.2.3 |
I followed https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-node and uses latest packages for following packages "@azure/identity": "^2.1.0", "@azure/keyvault-secrets": "^4.5.1".
Code is like below
exports.getKeyValue3 = async function (req, res) {
const url = "";
var secreteResponse;
try {
console.log(process.env["AZURE_TENANT_ID"]);
console.log(process.env["AZURE_CLIENT_ID"]);
console.log(process.env["AZURE_CLIENT_SECRET"]);
const credential = new DefaultAzureCredential();
console.log('DefaultCredential ', credential);
const client = new SecretClient(url, credential);
console.log("SecretClient: created", client);
const secretValue = await client.getSecret('testsecret');
console.log("Retrieved secret: ", secretValue);
secreteResponse = { "message": "Keyvault secrete retrieved successfully", "statusCode": 200, "secret": secretValue};
res.send(secreteResponse);
}
catch (error) {
secreteResponse = { "message": "Keyvault secret retrieval failed \n" + error.message, "statusCode": 500, "secret": null};
res.send(secreteResponse);
}
};
Console.log gives back (including error) is like:
DefaultCredential DefaultAzureCredential {
UnavailableMessage: 'DefaultAzureCredential => failed to retrieve a token from the included credentials. To troubleshoot, visit https://aka.ms/azsdk/js/identity/defaultazurecredential/troubleshoot.',
_sources: [
EnvironmentCredential { _credential: [ClientSecretCredential] },
DefaultManagedIdentityCredential {
isEndpointUnavailable: null,
clientId: '',
identityClient: [IdentityClient],
isAvailableIdentityClient: [IdentityClient]
},
VisualStudioCodeCredential {
cloudName: 'AzureCloud',
identityClient: [IdentityClient],
tenantId: 'common'
},
AzureCliCredential { tenantId: undefined },
AzurePowerShellCredential { tenantId: undefined }
]
}
SecretClient: created SecretClient {
vaultUrl: '',
client: KeyVaultClient {
_requestContentType: 'application/json; charset=utf-8',
_endpoint: '{vaultBaseUrl}',
_allowInsecureConnection: undefined,
_httpClient: NodeHttpClient { cachedHttpsAgents: [WeakMap] },
pipeline: HttpPipeline { _policies: [Array], _orderedPolicies: undefined },
apiVersion: '7.3'
}
}
The text was updated successfully, but these errors were encountered: