Skip to content

[BUG] ManagedIdentityCredential blocks normal identity chain on an infinite loop #48230

New issue
New issue
Open
Open
[BUG] ManagedIdentityCredential blocks normal identity chain on an infinite loop#48230
Assignees
g2vinay
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@McFoggy

Description

@McFoggy
McFoggy
opened on Mar 4, 2026

Describe the bug

When using DefaultAzureCredential on a local application (not deployed in azure) program loop because ManagedIdentityCredential always retries and does not delegate to the rest of the identity chain.

Changing the chain ; by setting for example AZURE_TOKEN_CREDENTIALS="dev" ; thus removing ManagedIdentityCredential ; works as expected.

Exception or Stack Trace

11:33:44.003 [main] INFO  c.a.identity.ChainedTokenCredential - Azure Identity => Attempted credential EnvironmentCredential is unavailable.
11:33:44.005 [main] INFO  c.a.identity.ChainedTokenCredential - Azure Identity => Attempted credential WorkloadIdentityCredential is unavailable.
11:33:44.068 [azure-sdk-global-thread-0] INFO  c.m.a.m.IMDSManagedIdentitySource - [Managed Identity] Unable to find AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable for IMDS, using the default endpoint.
11:33:44.068 [azure-sdk-global-thread-0] INFO  c.m.a.m.IMDSManagedIdentitySource - [Managed Identity] Creating IMDS managed identity source. Endpoint URI: http://169.254.169.254/metadata/identity/oauth2/token
WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::loadLibrary has been called by io.netty.util.internal.NativeLibraryUtil in an unnamed module (file:/home/mbrouillard/.m2/repository/io/netty/netty-common/4.1.130.Final/netty-common-4.1.130.Final.jar)
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled

11:34:21.976 [reactor-http-epoll-1] WARN  r.n.http.client.HttpClientConnect - [635caaf7-1, L:/172.16.200.89:56846 ! R:169.254.169.254/169.254.169.254:80] The connection observed an error
reactor.netty.http.client.PrematureCloseException: Connection prematurely closed BEFORE response
11:34:21.978 [azure-sdk-global-thread-0] ERROR c.a.c.h.netty.NettyAsyncHttpClient - reactor.netty.http.client.PrematureCloseException: Connection prematurely closed BEFORE response
11:35:00.694 [reactor-http-epoll-2] WARN  r.n.http.client.HttpClientConnect - [c4141e4d-1, L:/172.16.200.89:60336 ! R:169.254.169.254/169.254.169.254:80] The connection observed an error
reactor.netty.http.client.PrematureCloseException: Connection prematurely closed BEFORE response
11:35:00.695 [azure-sdk-global-thread-0] ERROR c.a.c.h.netty.NettyAsyncHttpClient - reactor.netty.http.client.PrematureCloseException: Connection prematurely closed BEFORE response

To Reproduce

Execute the sample below, the program will not end.

Code Snippet

import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.storage.blob.BlobServiceClientBuilder;

public class App {
    public static void main(String[] args) {
        var creds = new DefaultAzureCredentialBuilder().build();
        var sc = new BlobServiceClientBuilder()
                .credential(creds)
                .endpoint("https://%s.blob.core.windows.net/".formatted("my-storage-account"))
                .buildClient();

        var blob = sc.getBlobContainerClient("the-container").getBlobClient("somefile.txt");

        System.out.println("Exists:" + blob.exists());
    }
}

Expected behavior

The program should execute immediately.
Azure token retrieval should try all chain as described in https://learn.microsoft.com/en-us/azure/developer/java/sdk/authentication/credential-chains#defaultazurecredential-overview

Screenshots

Setup (please complete the following information):

  • OS: Ubuntu
  • IDE: N/A
  • Library/Libraries:
    • com.azure:azure-sdk-bom:1.3.4
    • com.azure:azure-storage-blob version from BOM
    • com.azure:azure-identity version from BOM
  • Java version: 21.0.7-tem
  • App Server/Environment: N/A
  • Frameworks: N/A

Additional context

Exact same program in cSharp works as expected.

        <PackageReference Include="Azure.Identity" Version="1.18.0" />
        <PackageReference Include="Azure.Storage.Blobs" Version="12.27.0" />
using Azure.Identity;
using Azure.Storage.Blobs;

var creds = new DefaultAzureCredential();
BlobServiceClient client = new(new Uri("https://my-storage-account.blob.core.windows.net/"), creds);
BlobClient blobClient = client.GetBlobContainerClient("the-container").GetBlobClient(blobName: "somefile.txt");
Console.WriteLine("Exist?" + blobClient.Exists());

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure Identity SDK Improvements

Status

Untriaged

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions