[v8.17.6] Azure Managed Identity Not Working – CredentialUnavailableException

Elastic Stack Elasticsearch
1

We are trying to use User Assigned Managed Identity (UAMI) for snapshot repository authentication on Elasticsearch v8.17.6 running on Azure Virtual Machines Scale Set (Windows VM).

We followed the official docs:

https://www.elastic.co/guide/en/elasticsearch/plugins/current/repository-azure.html
https://www.elastic.co/guide/en/elasticsearch/plugins/current/repository-azure-client.html

Managed Identity is assigned to the VM and has Storage Blob Data Contributor access to the storage account.

However, we are getting the following error when trying to access the snapshot repository:

"reason": "credential_unavailable_exception: EnvironmentCredential authentication unavailable. Environment variables are not fully configured...
Managed Identity authentication is not available.
...
Azure Powershell authentication failed. Error Details: access denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\")"

"POST "https://localhost:9200/_snapshot/elasticsearch-snapshots/_verify?pretty" -k
{
  "error" : {
    "root_cause" : [
      {
        "type" : "credential_unavailable_exception",
        "reason" : "credential_unavailable_exception: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/environmentcredential/troubleshoot\r\nWorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/java/identity/workloadidentitycredential/troubleshoot\r\nManaged Identity authentication is not available.\r\nSharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.\r\naccess denied (\"java.io.FilePermission\" \"C:\\Windows\\system32\\config\\systemprofile\\AzureToolsForIntelliJ\\AuthMethodDetails.json\" \"read\")\r\naccess denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\")\r\nAzure Powershell authentication failed. Error Details: access denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\"). To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/powershellcredential/troubleshoot\r\naccess denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\")To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot",
        "suppressed" : [
          {
            "type" : "exception",
            "reason" : "exception: #block terminated with an error"
          }
        ]
      }
    ],
    "type" : "repository_verification_exception",
    "reason" : "[elasticsearch-snapshots] path [elasticsearch-snapshots] is not accessible on master node",
    "caused_by" : {
      "type" : "credential_unavailable_exception",
      "reason" : "credential_unavailable_exception: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/environmentcredential/troubleshoot\r\nWorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/java/identity/workloadidentitycredential/troubleshoot\r\nManaged Identity authentication is not available.\r\nSharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.\r\naccess denied (\"java.io.FilePermission\" \"C:\\Windows\\system32\\config\\systemprofile\\AzureToolsForIntelliJ\\AuthMethodDetails.json\" \"read\")\r\naccess denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\")\r\nAzure Powershell authentication failed. Error Details: access denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\"). To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/powershellcredential/troubleshoot\r\naccess denied (\"java.io.FilePermission\" \"<<ALL FILES>>\" \"execute\")To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot",
      "suppressed" : [
        {
          "type" : "exception",
          "reason" : "exception: #block terminated with an error"
        }
      ]
    }
  },
  "status" : 500
}
 "

:white_check_mark: Things we tried:

  • We can successfully fetch the token manually via:

    curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://storage.azure.com&api-version=2018-02-01"

  • Verified network access to storage container.

  • Added the correct elasticsearch.yml config:

    azure.client.default.account: <storage-account-name>
azure.client.default.endpoint_suffix: core.windows.net

  • Tried with and without azure.client.default.managed_identity = true (it’s not documented).

  • Plugin is bundled, no extra install.

:red_question_mark: Questions:

  1. Is there an example of working Managed Identity (MSI) config on Windows VMs for snapshot repo?
  2. Is there a known issue with the DefaultAzureCredential chain inside Elasticsearch on Windows?
  3. Should we instead pass the token manually using elasticsearch-keystore add-file azure.client.default.token_file?

Any guidance would be appreciated!

2

Thanks for sharing all the details that helps a lot.

Here’s a quick run-through of what I see:

  1. Working config on Windows VMs?
    There aren’t many public examples for UAMI on Windows VMs, but your setup looks mostly correct. You only need:

azure.client.default.account:
azure.client.default.endpoint_suffix: core.windows.net

No need to set azure.client.default.managed_identity = true the plugin uses DefaultAzureCredential, which already tries Managed Identity under the hood.

  1. Known issues on Windows?
    Yes, and your error log points right to them. On Windows, some parts of the DefaultAzureCredential chain (like EnvironmentCredential and AzurePowerShellCredential) can fail due to file system restrictions or missing env vars.

In many cases, the SDK doesn’t cleanly skip over these failures, so the Managed Identity part doesn’t even get a chance to run.

This is especially true when Elasticsearch runs as a service under systemprofile, which has very limited permissions.

  1. Manual token via keystore?
    Yes that’s a solid workaround. Since you can already get the token manually from IMDS, you can save it and use:

elasticsearch-keystore add-file azure.client.default.token_file /path/to/token.json

Just make sure the file has the correct structure (with "access_token"), and keep in mind the token expires every hour so you’d need a script to refresh and reload it periodically.

3

Tried workaround getting this error:

java.lang.IllegalArgumentException: unknown secure setting [azure.client.default.token_file] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:564) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:510) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:480) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:450) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:133) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:51) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.node.NodeConstruction.validateSettings(NodeConstruction.java:530) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:280) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.node.Node.<init>(Node.java:200) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:247) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:247) ~[elasticsearch-8.17.6.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.17.6.jar:?]
4

Thanks for the update — that error makes it clear.

azure.client.default.token_file isn’t a valid setting. It’s not supported by the Azure repository plugin in 8.17.6, so that approach won’t work.

If you’re using User Assigned Managed Identity, try setting this environment variable on the VM:

AZURE_CLIENT_ID=<your-uami-client-id>

Make sure no other Azure-related env vars are set that could interfere. This will force the SDK to use your UAMI directly.

If that still fails, the fallback is to use a storage account access key via:

elasticsearch-keystore add azure.client.default.account
elasticsearch-keystore add azure.client.default.key

Let me know how it goes.