Azure-sdk-for-js: Error retrieving MSI token from Function App

Created on 2 Aug 2019 · 13Comments · Source: Azure/azure-sdk-for-js

@Azure/identity:
1.0.0.0-preview:
Azure Functions - Windows:

Describe the bug
Error parsing the date/token returned from a Managed Identify installed on an Azure Function app running on a consumption plan.

To Reproduce

Create a Windows Function App, on a consumption plan
Create a managed identity
Create a Key Vault with a secret
Using nodejs

const credential = new DefaultAzureCredential(); client = new SecretsClient(vaultUri, credential); let secret = client.getSecret('secret');

Expected behavior
Should return the secret. It doesn't. It throws an error.

Additional context

2019-08-01T23:49:03.468 [Information] TypeError: Cannot read property '3' of null
2019-08-01T23:49:03.469 [Information] at expiresInParser (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:289:47)
2019-08-01T23:49:03.469 [Information] at IdentityClient.<anonymous> (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:142:41)
2019-08-01T23:49:03.469 [Information] at Generator.next (<anonymous>)
2019-08-01T23:49:03.469 [Information] at fulfilled (D:\home\site\wwwroot\node_modules\tslib\tslib.js:107:62)
2019-08-01T23:49:03.469 [Information] at process._tickCallback (internal/process/next_tick.js:68:7
2019-08-01T23:49:03.470 [Information] undefined

Looking at the code, it appears that the date parsing isn't working. Initially this was in the identityClient code, (where the error has originally manifested from) however appears to have now been refactored here (currently).
https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/src/credentials/managedIdentityCredential.ts

Specifically, these lines

 // Detect which type of environment we are running in
    if (process.env.MSI_ENDPOINT) {
      if (process.env.MSI_SECRET) {
        // Running in App Service
        authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId);
        expiresInParser = (requestBody: any) => {
          // Parse a date format like "06/20/2019 02:57:58 +00:00" and
          // convert it into a JavaScript-formatted date
          const m = requestBody.expires_on.match(/(\d\d)\/(\d\d)\/(\d\d\d\d) (\d\d):(\d\d):(\d\d) (\+|-)(\d\d):(\d\d)/)
          return Date.parse(`${m[3]}-${m[1]}-${m[2]}T${m[4]}:${m[5]}:${m[6]}${m[7]}${m[8]}:${m[9]}`)
        };

Azure.Identity Client

Source

piquet-h

👍2

All 13 comments

It seems like the issue is that the regex is not taking AM/PM into account. Looking at the Managed Identities Overview documentation, the date format is:

"09/14/2017 00:00:00 PM +00:00"

ssyrell on 16 Aug 2019

Is there any workaround as of now for this?

saikrishnav on 27 Aug 2019

We've switched to using https://azure.github.io/azure-sdk-for-js/identity/classes/environmentcredential.html for now until this gets fixed.

kayone on 27 Aug 2019

@kayone - Unfortunately, this wouldn't work for me since I am working in an Azure Function. My Azure Function's identity has access to a keyvault which is why I wanted to use this. If I have to store one secret to access another, what's the point.

saikrishnav on 27 Aug 2019

@saikrishnav we are using a function as wel. we use this as a fall back rather than a workaround. This way once it gets fixed we don't have to change all the code for getting secrets out, we just switch the auth provider and remove the environment variables.

kayone on 27 Aug 2019

👍1

@kayone - I understand your point. Just trying to see if its possible to fix this directly.

saikrishnav on 27 Aug 2019

@saikrishnav We've gotten around this by referencing keyvault secrets at deployment time. In my ARM template, I'm pulling secrets from keyvault and just setting them as environment variables. Doing this means we don't need this library at all. Documentation can be found here:

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

ssyrell on 29 Aug 2019

We recently landed a fix that should help with this case (https://github.com/Azure/azure-sdk-for-js/pull/5144), which should allow more date formats to be accepted.

This fix will be part of the next release.

jonathandturner on 18 Sep 2019

👍1

Hey folks, has anyone had a chance to verify whether @jonathandturner's fix worked when using this credential in a Function App? Thanks!

daviwil on 30 Sep 2019

@daviwil
I have the same problem here I use ManagedIdentityCredential.
In azure function TypeScript.

Result: Failure
Exception: TypeError: Cannot read property '3' of null
Stack: TypeError: Cannot read property '3' of null
    at expiresInParser (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:457:47)
    at IdentityClient.<anonymous> (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:151:45)
    at Generator.next (<anonymous>)
    at fulfilled (D:\home\site\wwwroot\node_modules\tslib\tslib.js:107:62)
    at process._tickCallback (internal/process/next_tick.js:68:7)

ahmedspiir on 1 Oct 2019

@ahmedspiir Have you updated to version 1.0.0-preview.3? This issue should be resolved in that version.

daviwil on 1 Oct 2019

My apologies, this was fixed after 1.0.0-preview.3 and will be included in the upcoming release.

daviwil on 1 Oct 2019

👍1

Hi all, the fix for this issue is included in 1.0.0-preview.5, released last week. Please give it a try and let us know if you run into any further issues!

Closing this issue in the meantime, but I'll be happy to reopen it should anyone reproduce the issue after installing the aforementioned update.

daviwil on 14 Oct 2019

Was this page helpful?

0 / 5 - 0 ratings