Transient error handling for Azure MSI authentication

Question

Are there errors that Managed Service Identity (MSI) authentication that are transient and worthwhile retrying?

Reading through the implementation I can see HttpRequestException and Exception are absorbed by the framework and rethrown as AzureServiceTokenProviderException without an inner exception.

https://github.com/Azure/azure-sdk-for-net/blob/25adfede2b99391c29b5913fc289ff9511c9b26d/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/TokenProviders/MsiAccessTokenProvider.cs

I'm wondering (if any transient errors are possible), whether I'd need to inspect the exception message extracting the embedded http status code in the message and rethrow an e.g. my own AzureServiceTokenProviderTransientException capturing it in my retry logic.

My initial question is are there any known transient exceptions for MSI auth and secondly if there is any built in retry logic or recommended practices?

Answer 1

There error codes that MSI returns are documented here.

AzureServiceTokenProvider does include the exception details for cases where the HTTP response was not successful, so error codes like 404, 429, 500, will be included in the exception, along with an exception message. The exceptions that are absorbed are when the HTTP response was not received, e.g. when there is no MSI endpoint. The relevant code is here.

There is a retry logic recommended in the MSI documentation here. I have added a GitHub issue to implement this retry logic in the App Authentication library.