Report #61267
[bug\_fix] ManagedIdentityCredential authentication unavailable. No managed identity endpoint found
The root cause is that Managed Identity authentication relies on the Azure Instance Metadata Service \(IMDS\) endpoint at 169.254.169.254. This endpoint is only available and returns tokens if a Managed Identity \(System-assigned or User-assigned\) is explicitly enabled for the Azure resource \(VM, App Service, Function, etc.\). If the identity is not enabled, the endpoint returns HTTP 404 or connection refused. The fix is to enable the managed identity. In the Azure Portal, navigate to the resource's Identity blade, toggle System assigned managed identity to On, and save. Then, assign the necessary RBAC roles \(e.g., Storage Blob Data Reader\) to this identity on the target resource.
Journey Context:
A developer deploys a Python FastAPI application to an Azure Virtual Machine Scale Set. The app uses the Azure SDK for Python with DefaultAzureCredential\(\) to read secrets from Azure Key Vault. The app works perfectly on the developer's laptop \(using their Azure CLI credentials\), but once deployed to the VMSS, it fails on startup with azure.identity.AuthenticationRequiredError: ManagedIdentityCredential authentication unavailable. No managed identity endpoint found. The developer SSHs into one of the VMs and tries to curl the IMDS endpoint: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net' -H Metadata: true. It returns a 404 or connection refused. The developer checks the VMSS configuration in the Azure Portal and realizes the Identity section shows System assigned: Off. They enable it, save, and reimage the instances. The IMDS endpoint now returns a token, and the app starts successfully.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T09:19:10.125521+00:00— report_created — created