Skip to content

0.9.1-beta.26179.1 cannot find identity #1012

Description

@blowdart

Describe the bug
I updated a working workflow 0.9.1-beta.25379.1 from to 0.9.1-beta.26179.1. Signing that had previously worked failed.

Expected behavior
Signing to succeed

Actual behavior
Signing fails with

trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Fetching certificate from Azure Key Vault.
fail: Azure.Identity[10]
      False MSAL 4.83.1.0 MSAL.NetCore .NET 8.0.25 Microsoft Windows 10.0.26100 [2026-05-01 10:00:57Z - b64cfd1d-f3e8-449e-abc3-3a70f325b0fd] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.2020
      x-ms-request-id: a0b616f1-ee7e-4d1f-8cce-db5d8df16fff
      Date: Fri, 01 May 2026 10:00:56 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.83.1.0 MSAL.NetCore .NET 8.0.25 Microsoft Windows 10.0.26100 [2026-05-01 10:00:57Z - b64cfd1d-f3e8-449e-abc3-3a70f325b0fd] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId b64cfd1d-f3e8-449e-abc3-3a70f325b0fd
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.ManagedIdentityClient.SendTokenRequestForManagedIdentityAsync(RequestContext requestContext, AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
      
fail: Sign.Core.ISigner[0]
      AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'.
      Status: 401 (Unauthorized)
      ErrorCode: Unauthorized
      
      Content:
      {"error":{"code":"Unauthorized","message":"AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'."}}
      
      Headers:
      Cache-Control: no-cache
      Pragma: no-cache
      x-ms-keyvault-region: westus2
      x-ms-client-request-id: 57f59fc7-3012-4cd0-87df-c178a9ade81b
      x-ms-request-id: f3aca4d3-96d6-4c79-90c6-dd6e33d6aa22
      x-ms-keyvault-service-version: 1.9.3070.2
      x-ms-keyvault-network-info: conn_type=Ipv4;addr=52.225.25.50;act_addr_fam=InterNetwork;
      X-Content-Type-Options: REDACTED
      Strict-Transport-Security: REDACTED
      WWW-Authenticate: ***"https://login.microsoftonline.com/***", resource="https://vault.azure.net/"
      Date: Fri, 01 May 2026 10:00:58 GMT
      Content-Type: application/json; charset=utf-8
      Expires: -1
      Content-Length: 266
      
      Azure.RequestFailedException: AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'.
      Status: 401 (Unauthorized)
      ErrorCode: Unauthorized
      
      Content:
      {"error":{"code":"Unauthorized","message":"AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'."}}
      
      Headers:
      Cache-Control: no-cache
      Pragma: no-cache
      x-ms-keyvault-region: westus2
      x-ms-client-request-id: 57f59fc7-3012-4cd0-87df-c178a9ade81b
      x-ms-request-id: f3aca4d3-96d6-4c79-90c6-dd6e33d6aa22
      x-ms-keyvault-service-version: 1.9.3070.2
      x-ms-keyvault-network-info: conn_type=Ipv4;addr=52.225.25.50;act_addr_fam=InterNetwork;
      X-Content-Type-Options: REDACTED
      Strict-Transport-Security: REDACTED
      WWW-Authenticate: ***"https://login.microsoftonline.com/***", resource="https://vault.azure.net/"
      Date: Fri, 01 May 2026 10:00:58 GMT
      Content-Type: application/json; charset=utf-8
      Expires: -1
      Content-Length: 266
      
         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
         at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
         at Sign.SignatureProviders.KeyVault.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.SignatureProviders.KeyVault/KeyVaultService.cs:line 66
         at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, Boolean recurseContainers, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 79
Error: Process completed with exit code 1.

Additional context

  • Workflow authenticates to Azure Key Vault via ODIC, which succeeds
     C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" cloud set -n azurecloud"
     Done setting cloud: "azurecloud"
     Federated token details:
      issuer - https://token.actions.githubusercontent.com/
      subject claim - repo:blowdart/idunno.Security.Ssrf:environment:release
      audience - api://AzureADTokenExchange
      job_workflow_ref - blowdart/idunno.Security.Ssrf/.github/workflows/release.yml@refs/tags/v5.1.0
     Attempting Azure CLI login by using OIDC...
     Subscription is set successfully.
     Azure CLI login succeeds by using OIDC.
    
  • Reverting to 0.9.1-beta.25379.1 results in successful signing with no other changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions