0

I'm deploying a bot backend in an AKS pod using a User Assigned Managed Identity (UAMI). The bot backend can access Azure services like KeyVault and AppConfiguration using this UAMI without issues. The infrastructure is deployed via Terraform.

Environment:

  • Bot Framework SDK: 4.23.0
  • Bot Type: UserAssignedMSI
  • Managed Identity: User Assigned, assigned to the AKS pod

Standard setup:

builder.Services.AddSingleton<BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();

The configuration loads correctly, specifying UserAssignedMSI as the Bot Type and the client ID of the Managed Identity as the Bot ID. The same values are configured in the Azure Bot Service resource.

Problem: When the bot tries to send a message via Azure Bot Service, I get:

identity not found

Internally, ConfigurationBotFrameworkAuthentication builds a ConfigurationServiceClientCredentialFactory, which uses ManagedIdentityAuthenticator. This fails to generate a valid token.

Observation: If I generate the token manually using Azure.Identity.ManagedIdentityCredential in a custom authenticator, it works, and the tokens are valid.

Example of my custom authenticator:

public class MyCustomManagedIdentityAuthenticator : IAuthenticator
{
    readonly ManagedIdentityCredential managedIdentityCredential;
    private string oAuthScope;

    public MyCustomManagedIdentityAuthenticator(object appId, object oAuthScope)
    {
        const string scopePostFix = "/.default";
        var scope = oAuthScope.ToString()!;
        if (!scope.EndsWith(scopePostFix, StringComparison.OrdinalIgnoreCase))
        {
            scope = $"{scope}{scopePostFix}";
        }
        this.oAuthScope = scope;
        managedIdentityCredential = new ManagedIdentityCredential(clientId: appId.ToString());
    }

    public async Task<AuthenticatorResult> GetTokenAsync(bool forceRefresh = false)
    {
        var token = await managedIdentityCredential.GetTokenAsync(
            new TokenRequestContext(new[] { oAuthScope! }), CancellationToken.None);
        return new AuthenticatorResult
        {
            AccessToken = token.Token,
            ExpiresOn = token.ExpiresOn,
        };
    }
}

Registered like this:

builder.Services.AddSingleton<BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>(sp =>
{
    return new ConfigurationBotFrameworkAuthentication(
        builder.Configuration,
        new MyCustomServiceClientCredentialsFactory(builder.Configuration) // This ultimately adds the MyCustomManagedIdentityAuthenticator above
    );
});

Key point:

  • Tokens generated by default with Bot Framework's ManagedIdentityAuthenticator fail to obtain a valid token.
  • Tokens generated manually with Azure.Identity work correctly.

Questions:

  • Am I missing a configuration step to make Bot Framework generate a valid token for a User Assigned Managed Identity?
  • Is it expected to need a custom authenticator in this scenario?
Improve this question
Related questions
0
How to Enable User Assisgned Managed Identity authentication Between Azure Bot and Azure Kubernetes Service?
2
Azure Kubernetes managed identity vs AAD pod identities
0
How to use Managed Identity to fetch credentials on AKS environment?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.