Unable to authenticate using user assigned managed identities when running on Azure Container Apps

[kyrre]

Is it possible to use this SDK to authenticate when running on ACA jobs? I have the program that uses both the Python SDK and the C++ one (via DuckDB), but the latter fails. I have enabled verbose logs, but it doesn't help much and I can't really figure out how to debug this further.

This is a minimal example that shows how the Python SDK works, while the C++ fails:

credential = DefaultAzureCredential(
    managed_identity_client_id="b852c70a-9e1b-4784-a7a0-fda9af51b017"
)
account_name = "..."
account_url = f"https://{account_name}.blob.core.windows.net"
client = BlobServiceClient(account_url, credential=credential)

for container in client.list_containers():
    print(container)

con = duckdb.connect()
output_location = f"abfss://playground@{account_name}.dfs.core.windows.net/test-production/observable/azure_applications"

os.environ["AZURE_CLIENT_ID"] = "b852c70a-9e1b-4784-a7a0-fda9af51b017"
os.environ["MANAGED_IDENTITY_CLIENT_ID"] = "b852c70a-9e1b-4784-a7a0-fda9af51b017"

con.sql("""
    install azure;
    load azure;
""")

con.sql(
  f"""
      CREATE SECRET azure_secrets (
      TYPE azure,
      PROVIDER credential_chain, 
      CHAIN 'default',
      ACCOUNT_NAME '{account_name}'
  );
"""
)

con.read_parquet(output_location + "/*.parquet")

and the error

2025-04-14T18:49:45.4004707Z ##[section]Starting: CmdLine
2025-04-14T18:49:45.4009340Z ==============================================================================
2025-04-14T18:49:45.4009459Z Task         : Command line
2025-04-14T18:49:45.4009527Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2025-04-14T18:49:45.4009611Z Version      : 2.250.1
2025-04-14T18:49:45.4009684Z Author       : Microsoft Corporation
2025-04-14T18:49:45.4009747Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
2025-04-14T18:49:45.4009836Z ==============================================================================
2025-04-14T18:49:45.5226958Z Generating script.
2025-04-14T18:49:45.5234587Z ========================== Starting Command Output ===========================
2025-04-14T18:49:45.5246467Z [command]/usr/bin/bash --noprofile --norc /azp/_work/_temp/5d84fdbb-6d3c-4250-be79-2a75058eb080.sh
2025-04-14T18:49:45.8917372Z Bytecode compiled 4011 files in 345ms
2025-04-14T18:49:50.7410137Z [2025-04-14T18:49:50.7406238Z T: 125412545959744] DEBUG : Identity: Creating DefaultAzureCredential which combines mutiple parameterless credentials into a single one.
2025-04-14T18:49:50.7411932Z DefaultAzureCredential is only recommended for the early stages of development, and not for usage in production environment.
2025-04-14T18:49:50.7414208Z Once the developer focuses on the Credentials and Authentication aspects of their application, DefaultAzureCredential needs to be replaced with the credential that is the better fit for the application.
2025-04-14T18:49:50.7415381Z [2025-04-14T18:49:50.7406496Z T: 125412545959744] WARN  : Identity: EnvironmentCredential was not initialized with underlying credential.
2025-04-14T18:49:50.7416004Z [2025-04-14T18:49:50.7406703Z T: 125412545959744] DEBUG : Identity: EnvironmentCredential: Both 'AZURE_TENANT_ID' and 'AZURE_CLIENT_ID', and at least one of 'AZURE_CLIENT_SECRET', 'AZURE_CLIENT_CERTIFICATE_PATH' needs to be set. Additionally, 'AZURE_AUTHORITY_HOST' could be set to override the default authority host. Currently:
2025-04-14T18:49:50.7416730Z  * 'AZURE_TENANT_ID' is NOT set
2025-04-14T18:49:50.7417455Z  * 'AZURE_CLIENT_ID' is set
2025-04-14T18:49:50.7418201Z  * 'AZURE_CLIENT_SECRET' is NOT set
2025-04-14T18:49:50.7418502Z  * 'AZURE_CLIENT_CERTIFICATE_PATH' is NOT set
2025-04-14T18:49:50.7418766Z  * 'AZURE_AUTHORITY_HOST' is NOT set
2025-04-14T18:49:50.7419129Z [2025-04-14T18:49:50.7406901Z T: 125412545959744] WARN  : Identity: Azure Kubernetes environment is not set up for the WorkloadIdentityCredential credential to work.
2025-04-14T18:49:50.7419512Z [2025-04-14T18:49:50.7407154Z T: 125412545959744] INFO  : Identity: AzureCliCredential created.
2025-04-14T18:49:50.7419944Z Successful creation does not guarantee further successful token retrieval.
2025-04-14T18:49:50.7420271Z [2025-04-14T18:49:50.7407424Z T: 125412545959744] INFO  : Identity: ManagedIdentityCredential will be created with App Service 2019 source.
2025-04-14T18:49:50.7420737Z [2025-04-14T18:49:50.7407895Z T: 125412545959744] INFO  : Identity: DefaultAzureCredential: Created with the following credentials: EnvironmentCredential, WorkloadIdentityCredential, AzureCliCredential, ManagedIdentityCredential.
2025-04-14T18:49:50.7421563Z [2025-04-14T18:49:50.7408071Z T: 125412545959744] INFO  : Identity: ChainedTokenCredential: Created with the following credentials: DefaultAzureCredential.
2025-04-14T18:49:50.7422002Z [2025-04-14T18:49:50.7410593Z T: 125412545959744] WARN  : Identity: EnvironmentCredential authentication unavailable. See earlier EnvironmentCredential log messages for details.
2025-04-14T18:49:50.7422543Z [2025-04-14T18:49:50.7411060Z T: 125412545959744] DEBUG : Identity: DefaultAzureCredential: Failed to get token from EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
2025-04-14T18:49:50.7423078Z [2025-04-14T18:49:50.7411223Z T: 125412545959744] WARN  : Identity: WorkloadIdentityCredential authentication unavailable. See earlier WorkloadIdentityCredential log messages for details.
2025-04-14T18:49:50.7423850Z [2025-04-14T18:49:50.7411442Z T: 125412545959744] DEBUG : Identity: DefaultAzureCredential: Failed to get token from WorkloadIdentityCredential: WorkloadIdentityCredential authentication unavailable. Azure Kubernetes environment is not set up correctly.
2025-04-14T18:49:52.6384365Z ERROR: Please run 'az login' to setup account.
2025-04-14T18:49:52.9978242Z [2025-04-14T18:49:52.9972549Z T: 125412545959744] DEBUG : Identity: TokenCredentialImpl::ParseToken(): Cannot parse the string '' as JSON.
2025-04-14T18:49:52.9979059Z [2025-04-14T18:49:52.9972895Z T: 125412545959744] WARN  : Identity: AzureCliCredential didn't get the token: ""
2025-04-14T18:49:52.9979681Z [2025-04-14T18:49:52.9973177Z T: 125412545959744] DEBUG : Identity: DefaultAzureCredential: Failed to get token from AzureCliCredential: AzureCliCredential didn't get the token: ""
2025-04-14T18:49:52.9980452Z [2025-04-14T18:49:52.9973658Z T: 125412545959744] INFO  : HTTP Request : GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=REDACTED
2025-04-14T18:49:52.9981090Z user-agent : azsdk-cpp-identity/1.10.1 (Linux 5.15.164.1-1.cm2 x86_64 #1 SMP Sun Aug 18 19:16:21 UTC 2024 Cpp/201402)
2025-04-14T18:49:52.9981579Z x-identity-header : REDACTED
2025-04-14T18:49:52.9981795Z x-ms-client-request-id : 219d3f1f-c843-4aec-8e47-09cef071e7fc
2025-04-14T18:49:52.9982071Z [2025-04-14T18:49:52.9973770Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: Creating a new session.
2025-04-14T18:49:52.9982418Z [2025-04-14T18:49:52.9973915Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: Spawn new connection.
2025-04-14T18:49:52.9982790Z [2025-04-14T18:49:52.9976107Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: No Host in request headers. Adding it
2025-04-14T18:49:52.9983190Z [2025-04-14T18:49:52.9976346Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: Send request without payload
2025-04-14T18:49:52.9983474Z [2025-04-14T18:49:52.9976813Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: Parse server response
2025-04-14T18:49:53.0094945Z [2025-04-14T18:49:53.0072824Z T: 125412545959744] DEBUG : [CURL Transport Adapter]: Request completed. Moving response out of session and session to response.
2025-04-14T18:49:53.0095578Z [2025-04-14T18:49:53.0073148Z T: 125412545959744] DEBUG : Moving connection to pool...
2025-04-14T18:49:53.0095914Z [2025-04-14T18:49:53.0073335Z T: 125412545959744] DEBUG : Start clean thread
2025-04-14T18:49:53.0096253Z [2025-04-14T18:49:53.0074153Z T: 125412545959744] INFO  : HTTP/1.1 Response (10ms) : 400 Bad Request
2025-04-14T18:49:53.0096557Z content-type : application/json; charset=utf-8
2025-04-14T18:49:53.0096815Z date : Mon, 14 Apr 2025 18:49:52 GMT
2025-04-14T18:49:53.0097038Z server : Kestrel
2025-04-14T18:49:53.0097245Z transfer-encoding : chunked
2025-04-14T18:49:53.0097463Z x-correlation-id : REDACTED
2025-04-14T18:49:53.0097747Z [2025-04-14T18:49:53.0074351Z T: 125412545959744] INFO  : HTTP status code 400 won't be retried.
2025-04-14T18:49:53.0098178Z [2025-04-14T18:49:53.0074866Z T: 125412545959744] DEBUG : Identity: DefaultAzureCredential: Failed to get token from ManagedIdentityCredential: GetToken(): error response: 400 Bad Request
2025-04-14T18:49:53.0098729Z 
2025-04-14T18:49:53.0099038Z {"statusCode":400,"message":"Unable to load the proper Managed Identity.","correlationId":"26dc2041-e87f-47f4-8ef4-50b75c4f3dd4"}
2025-04-14T18:49:53.0099426Z [2025-04-14T18:49:53.0074989Z T: 125412545959744] WARN  : Identity: DefaultAzureCredential: Didn't succeed to get a token from any credential in the chain.
2025-04-14T18:49:53.0099690Z [2025-04-14T18:49:53.0075179Z T: 125412545959744] DEBUG : Identity: ChainedTokenCredential: Failed to get token from DefaultAzureCredential: Failed to get token from DefaultAzureCredential.
2025-04-14T18:49:53.0099941Z See Azure::Core::Diagnostics::Logger for details (https://aka.ms/azsdk/cpp/identity/troubleshooting).
2025-04-14T18:49:53.0100164Z [2025-04-14T18:49:53.0075288Z T: 125412545959744] WARN  : Identity: ChainedTokenCredential: Didn't succeed to get a token from any credential in the chain.
2025-04-14T18:49:53.0101560Z Traceback (most recent call last):
2025-04-14T18:49:53.0101743Z   File "/azp/_work/1/s/test.py", line 41, in <module>
2025-04-14T18:49:53.0101886Z     con.read_parquet(output_location + "/*.parquet")
2025-04-14T18:49:53.0102035Z RuntimeError: Failed to get token from ChainedTokenCredential.
2025-04-14T18:49:53.0102391Z  <output from the loop>
2025-04-14T18:49:53.0631317Z 
2025-04-14T18:49:53.0668338Z ##[error]Bash exited with code '1'.
2025-04-14T18:49:53.0684206Z ##[section]Finishing: CmdLine

I have also created an issue in the DuckDB-azure project board.
duckdb/duckdb-azure#99

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[kyrre]

I tried the following program and this also fails.

// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

#include <azure/identity/default_azure_credential.hpp>
#include <azure/storage/blobs.hpp>
#include <iostream>

int main()
{
    try 
    {
        // DefaultAzureCredential will automatically use AZURE_CLIENT_ID from environment
        auto credential = std::make_shared<Azure::Identity::DefaultAzureCredential>();

        std::string accountName = "cdcdatalakehousestandard";
        std::string accountUrl = "https://" + accountName + ".blob.core.windows.net";
        
        auto blobServiceClient = Azure::Storage::Blobs::BlobServiceClient(
            accountUrl,
            credential);

        auto containers = blobServiceClient.ListBlobContainers();
        for (const auto& container : containers.BlobContainers)
        {
            std::cout << "Container name: " << container.Name << std::endl;
        }
    }
    catch (const std::exception& e)
    {
        std::cerr << "Error: " << e.what() << std::endl;
        return 1;
    }

    return 0;
}