Azure Key Vault plugin on Jenkins throws ManagedIdentityCredential authentication unavailable.Connection to IMDS endpoint cannot be established

tech_savy · October 5, 2023, 8:30am

Jenkins setup:
Jenkins is installed on Kubernetes Cluster via Helm chart.
Jenkins Version: 2.414.2
Issue with: Azure Key Vault Plugin
Plugin Version: 214.vf667264ea_ccd

Hi Team,

We recently installed Azure Key Vault plugin on our Jenkins and configured with Azure Managed identity credentials. We followed this documentation Azure Key Vault | Jenkins plugin

Configured in Jenkins pipeline like below:

 def test() 
{
azureKeyVault([[envVariable: 'test-creds', name: 'test-creds', secretType: 'secret']])
}

Facing the below error:

com.azure.identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.
at com.azure.identity.implementation.IdentityClient.lambda$authenticateToIMDSEndpoint$53(IdentityClient.java:1105)
at reactor.core.publisher.MonoCallable.call(MonoCallable.java:92)
at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:174)
at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
at reactor.core.publisher.Mono.subscribe(Mono.java:4475)
at reactor.core.publisher.Mono.subscribeWith(Mono.java:4605)
at reactor.core.publisher.Mono.toFuture(Mono.java:5010)
at com.azure.identity.implementation.IdentityClientBase.lambda$getManagedIdentityConfidentialClient$1(IdentityClientBase.java:341)
at com.microsoft.aad.msal4j.AcquireTokenByAppProviderSupplier.fetchTokenUsingAppTokenProvider(AcquireTokenByAppProviderSupplier.java:66)

Kindly let me know what is that i am doing wrong.

Thanks

poddingue · October 5, 2023, 11:43am

Hello @tech_savy and welcome to this community.

It looks like the Azure Managed Identity for your Jenkins instance is having trouble authenticating or connecting to the Azure IMDS (Instance Metadata Service) endpoint.

Are you sure that the Azure Managed Identity you’ve configured in Jenkins has the appropriate permissions to access the Azure Key Vault?
I think it should have at least the “get” permission on secrets.

tech_savy · October 6, 2023, 1:12am

Dear @poddingue
Thank you for your reply !

Yes , the Managed identity has both Get and List permission on Key Vault secrets. Do we also need it on Key Vault level?

Thanks

Topic		Replies	Views
Kubernetes Credentials Provider Issues Using Jenkins	1	952	November 22, 2022
Azure-ad-plugin authentication fallback mechanism Ask a question question	1	47	July 18, 2024
We have created a jenkins pipeline to fecth the code from azure and build infra in azure using terrform code Ask a question question	1	40	August 12, 2024
How to configure sso from azure to Jenkins? Using Jenkins question	1	358	December 21, 2022
Enable SSO on Jenkins using Azure AD Using Jenkins question	0	727	November 27, 2023

Azure Key Vault plugin on Jenkins throws ManagedIdentityCredential authentication unavailable.Connection to IMDS endpoint cannot be established

Related topics