Add troubleshooting links to relevant errors (Azure#18676)

gracewilcox · web-flow · commit bfeed7ad8870 · 2022-07-25T14:13:48.000-07:00
diff --git a/sdk/azidentity/CHANGELOG.md b/sdk/azidentity/CHANGELOG.md
@@ -50,6 +50,7 @@
 ### Other Changes
 * `GetToken()` returns an error when the caller specifies no scope
 * Updated to the latest versions of `golang.org/x/crypto`, `azcore` and `internal`
+* Updated AuthenicationFailedError to include links to TROUBLESHOOTING.md for relevant errors
 
 ## 0.14.0 (2022-04-05)
 
diff --git a/sdk/azidentity/TROUBLESHOOTING.md b/sdk/azidentity/TROUBLESHOOTING.md
@@ -88,6 +88,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
 |---|---|---|
 |Missing or incomplete environment variable configuration|A valid combination of environment variables wasn't set|Ensure the appropriate environment variables are set for the intended authentication method as described in the [module documentation](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)|
 
+<a id="client-secret"></a>
 ## Troubleshoot ClientSecretCredential authentication issues
 
 | Error Code | Issue | Mitigation |
@@ -96,19 +97,22 @@ azlog.SetEvents(azidentity.EventAuthentication)
 |AADSTS7000222|An expired client secret was provided.|Create a new client secret using the Azure portal. Details on creating a new client secret are in [Azure AD documentation](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).|
 |AADSTS700016|The specified application wasn't found in the specified tenant.|Ensure the client and tenant IDs provided to the credential constructor are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the [Azure AD instructions](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).|
 
+<a id="client-cert"></a>
 ## Troubleshoot ClientCertificateCredential authentication issues
 
 | Error Code | Description | Mitigation |
 |---|---|---|
 |AADSTS700027|Client assertion contains an invalid signature.|Ensure the specified certificate has been uploaded to the application registration as described in [Azure AD documentation](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate).|
 |AADSTS700016|The specified application wasn't found in the specified tenant.|Ensure the client and tenant IDs provided to the credential constructor are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the [Azure AD instructions](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).|
 
+<a id="username-password"></a>
 ## Troubleshoot UsernamePasswordCredential authentication issues
 
 | Error Code | Issue | Mitigation |
 |---|---|---|
 |AADSTS50126|The provided username or password is invalid.|Ensure the username and password provided to the credential constructor are valid.|
 
+<a id="managed-id"></a>
 ## Troubleshoot ManagedIdentityCredential authentication issues
 
 `ManagedIdentityCredential` is designed to work on a variety of Azure hosts support managed identity. Configuration and troubleshooting vary from host to host. The below table lists the Azure hosts that can be assigned a managed identity and are supported by `ManagedIdentityCredential`.
@@ -164,6 +168,7 @@ curl "$IDENTITY_ENDPOINT?resource=https://management.core.windows.net&api-versio
 |---|---|---|
 |"no azure identity found for request clientID"|The application attempted to authenticate before an identity was assigned to its pod|Verify the pod is labeled correctly. This also occurs when a correctly labeled pod authenticates before the identity is ready. To prevent initialization races, configure NMI to set the Retry-After header in its responses as described in [Pod Identity documentation](https://azure.github.io/aad-pod-identity/docs/configure/feature_flags/#set-retry-after-header-in-nmi-response).
 
+<a id="azure-cli"></a>
 ## Troubleshoot AzureCliCredential authentication issues
 
 | Error Message |Description| Mitigation |
diff --git a/sdk/azidentity/errors.go b/sdk/azidentity/errors.go
@@ -75,6 +75,22 @@ func (e *AuthenticationFailedError) Error() string {
 		fmt.Fprint(msg, "Response contained no body")
 	}
 	fmt.Fprintln(msg, "\n--------------------------------------------------------------------------------")
+	var anchor string
+	switch e.credType {
+	case credNameAzureCLI:
+		anchor = "azure-cli"
+	case credNameCert:
+		anchor = "client-cert"
+	case credNameSecret:
+		anchor = "client-secret"
+	case credNameManagedIdentity:
+		anchor = "managed-id"
+	case credNameUserPassword:
+		anchor = "username-password"
+	}
+	if anchor != "" {
+		fmt.Fprintf(msg, "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%s", anchor)
+	}
 	return msg.String()
 }
 
