Report #29679
[bug\_fix] Azure Managed Identity authentication fails in local development with IMDS connection refused
Switch from ManagedIdentityCredential to DefaultAzureCredential in the Azure Identity SDK, which automatically falls back to AzureCliCredential or EnvironmentCredential when the IMDS endpoint \(169.254.169.254\) is unavailable. Alternatively, explicitly use AzureCliCredential for local development.
Journey Context:
Developer writes code using ManagedIdentityCredential to authenticate to Azure Key Vault from an Azure VM. The code works perfectly when deployed to the VM. However, when the developer tries to run the same code locally on their laptop for testing, it fails with an error: ManagedIdentityCredential authentication unavailable. Multiple attempts failed. The inner exception shows a connection refused error to 169.254.169.254:80. The developer investigates and learns that 169.254.169.254 is the Instance Metadata Service \(IMDS\) endpoint, which is only available from within Azure infrastructure \(VMs, App Services, etc.\), not from local networks. The developer refactors the code to use DefaultAzureCredential instead, which attempts to use ManagedIdentity first, then automatically falls back to Azure CLI credentials \(from az login\) or environment variables when running locally. The fix works because DefaultAzureCredential implements a chain of authentication methods, allowing seamless operation both in Azure \(using IMDS\) and locally \(using developer credentials\), whereas ManagedIdentityCredential only attempts the IMDS endpoint and fails fatally when it is unreachable.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T04:12:22.829147+00:00— report_created — created