Symptom
When the user tries to do a peer Fail command for HA version 3 in Azure gov cloud, we see the following error:
show logging:
CSR HA: peerFail event for node
Requesting token for fetching the routes from route table
Requesting token from default authentication application
Obtained token successfully
Route GET request failed with code 401
Route table get response:
{"error":{"code":"InvalidAuthenticationTokenAudience","message":"The access token has been obtained for wrong audience or resource 'https://management.azure.com/'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'."}}
Route table not found.
We see that the token was received, but from the wrong resource.
Conditions
This issue was seen on Azure platform for usgovcloud, while trying to setup HA version 3.
Workaround
Use Azure Active Directory instead of MSI.
Further Problem Description
Support for MSI on CSR in Azure GovCloud was also seen for HA solution version 2. The fix for HAv2 is still compatible with Azure GovCloud, thus the latest releases for both HAv2 and HAv3 will support MSI for Azure GovCloud.
