Share via

ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established

Rajesh Babu Selvaraj 0 Reputation points
2024-05-20T10:21:28.2933333+00:00

We have a locally built a Spring boot sample client application to Access the Azure Key vault services and retrieve the secrets.

The Application is built and packaged as WAR file and deployed in the external Tomcat server.

We use the User Assigned Managed Identity process to authentication the application with the key vault.

The Tomcat server is hosted and running as the Kubernetes POD and the sample spring boot war file is deployed inside the TOMCAT POD.

When we process the request, the Application fails to get Authenticated with the Keyvault and getting the below error message

"Encountered Client Auth Exception while retrieving secret : com.microsoft.aad.msal4j.MsalAzureSDKException: java.util.concurrent.ExecutionException: com.azure.identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, Connection refused (Connection refused)"

Workaround#1:

We tried to hit the IMDS endpoint using the CURL command within the POD , we were able to receive the access token successfully for the specific ClientId.

curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https://vault.azure.net&client_id=xxxxxxxxxxxxxxxxxx"

But from the Application perspective, the call to the IMDS endpoint is not successfull, the Authentication fails with the specific error posted as above.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,151 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 5,920 Reputation points
    2024-05-20T10:50:45.79+00:00

    Hi Rajesh ,

    The error means you could not connect to the Azure Instance Metadata Service endpoint, it is a REST Endpoint that is available at a well-known non-routable IP address (169.254.169.254), MSI use it to get the token, it can be accessed only from within the Azure service e.g. web app, VM, etc. Simply put, you could not use MSI(managed identity) in local.

    To use MSI get secret from the azure keyvault, follow this to deploy your application to azure web app, enable the system-assigned identity or user-assigned identity, then remove the azure.keyvault.client-key from application.properties, change the azure.keyvault.client-id with the MSI's client id, add it to the access policy of the keyvault, details follow this.

    if you'd like to access the Key Vault via a Managed Identity, you can deploy a VM with a system-assigned managed identity or an Azure App Service to read a secret from Azure Key Vault. For more info.

    Additional Links: Azure Instance Metadata Service endpoint - Managed identity

    What are managed identities for Azure resources?

    Tutorial: Read a secret from Azure Key Vault in a Spring Boot application

    I hope this helps! If you have any other questions, please let me know.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solutio

    1 person found this answer helpful.
    0 comments