Report #47304
[bug\_fix] ManagedIdentityCredential unavailable. No managed identity endpoint found.
Ensure the Azure resource \(VM, VMSS, Container Instance, or App Service\) has a System-Assigned or User-Assigned Managed Identity actually enabled in the portal/CLI. If running inside a container on a VM with Managed Identity, ensure the container network allows egress to the IMDS endpoint at 169.254.169.254 on port 80. Check that firewall rules, NSGs, or Kubernetes network policies are not blocking link-local addresses.
Journey Context:
You deploy a Python app using \`DefaultAzureCredential\` to an Azure Container Instance \(ACI\) or a Kubernetes pod on AKS that should use a Managed Identity. The code throws 'ManagedIdentityCredential unavailable. No managed identity endpoint found' or 'Authentication failed. ManagedIdentityCredential: Authentication failed. Status code: 400'. You verified the Managed Identity is assigned to the ACI in the portal. The rabbit hole reveals that \`DefaultAzureCredential\` tries to call the IMDS \(Instance Metadata Service\) at \`http://169.254.169.254/metadata/identity/oauth2/token\` to get a token. If running inside a container on a VM, the container must have network access to this link-local IP. If the container is in a custom network \(Docker bridge without host mode, or ACI with custom VNet missing the IMDS route\), or if NSGs block 169.254.169.254, the request fails. For AKS specifically, the IMDS endpoint is on the node, not the pod network, and requires specific hostNetwork configuration or using AAD Pod Identity/Workload Identity instead. The fix ensures network reachability to the IMDS endpoint or switches to a different credential type if IMDS is unreachable.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T09:52:42.208131+00:00— report_created — created