Authentication fails in managed identity based github actions

[blowdart]

Describe the bug
When using a managed identity in a github action which has previously worked failures now occur. No changes have been made to the managed identity or its permissions in Azure.

Repro steps

Have a github action that authentications with the azure login action, which succeeds, then try to use sign which fails with exceptions.

Tool version: 0.9.1-beta.25379.1

Action definition: blowdart/idunno.Bluesky.Utils@7d75d54

Expected behavior
Signing succeeds

Actual behavior
Exceptions are thrown

fail: Azure.Identity[10]
      False MSAL 4.73.1.0 MSAL.NetCore .NET 8.0.21 Microsoft Windows 10.0.26100 [2025-11-21 15:05:31Z - 6a5c2127-d631-48c6-b130-b705bdd875c0] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1854
      x-ms-request-id: aadc88c7-e4eb-43ba-b780-bedbf7c9301c
      Date: Fri, 21 Nov 2025 15:05:30 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.73.1.0 MSAL.NetCore .NET 8.0.21 Microsoft Windows 10.0.26100 [2025-11-21 15:05:31Z - 6a5c2127-d631-48c6-b130-b705bdd875c0] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId 6a5c2127-d631-48c6-b130-b705bdd875c0
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
      
fail: Sign.Core.ISigner[0]
      ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1854
      x-ms-request-id: aadc88c7-e4eb-43ba-b780-bedbf7c9301c
      Date: Fri, 21 Nov 2025 15:05:30 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
      Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1854
      x-ms-request-id: aadc88c7-e4eb-43ba-b780-bedbf7c9301c
      Date: Fri, 21 Nov 2025 15:05:30 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
       ---> MSAL.NetCore.4.73.1.0.MsalServiceException:
      	ErrorCode: managed_identity_request_failed
      Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1854
      x-ms-request-id: aadc88c7-e4eb-43ba-b780-bedbf7c9301c
      Date: Fri, 21 Nov 2025 15:05:30 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found 
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
         at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
         at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
         at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
         --- End of inner exception stack trace ---
         at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
         at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
         at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContext context, TaskCompletionSource`1 targetTcs, Boolean async, CancellationToken cancellationToken)
         at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
         at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Boolean async, Boolean checkForCompletion, CancellationToken cancellationToken)
         at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
         at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
         at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
         at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessAsyncInternal(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
         at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
         at Sign.SignatureProviders.KeyVault.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.SignatureProviders.KeyVault/KeyVaultService.cs:line 66
         at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, Boolean recurseContainers, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 79
Error: Process completed with exit code 1.

[blowdart]

Note that this happens both with KeyVault hosted keys and with Trusted Signing.

The above is KeyVault, Trusted Signing exceptions are as follows

fail: Azure.Identity[10]
      False MSAL 4.73.1.0 MSAL.NetCore .NET 8.0.21 Microsoft Windows 10.0.26100 [2025-11-18 18:54:04Z - 512d3b66-c622-4be3-a7aa-73339ea47007] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1854
      x-ms-request-id: 6867d276-3b7b-4ab4-bf0d-d5478ef91021
      Date: Tue, 18 Nov 2025 18:54:03 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.73.1.0 MSAL.NetCore .NET 8.0.21 Microsoft Windows 10.0.26100 [2025-11-18 18:54:04Z - 512d3b66-c622-4be3-a7aa-73339ea47007] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId 512d3b66-c622-4be3-a7aa-73339ea47007
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Trusted signing is arguably worse, because that doesn't seem to set a return value, so the github action thinks it worked and doesn't halt like it ought to.

[blowdart]

Oh good grief. The lesson here is to trust the tool exit code. Despite the exceptions above ending up in the github actions log the sign process worked, the output is, in fact signed.

So, who knows why that exception is logged. Definitely confusing. I'll try again when you publish the tool with the latest dependencies and see if the false alarm from MSAL goes away :)