AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

[BUG] AKS Automatic: Failure with non-hyphen X-Ms-Correlation-Request-Id

Open torumakabe opened this issue 4 months ago • 3 comments

Describe the bug In the AKS “Automatic” path (Deployment Safeguards), requests appear to be validated using the X-Ms-Correlation-Request-Id header. When a client (Azure Developer CLI, azd) sends a 32-hex value without hyphens (e.g., a W3C Trace Context trace-id), the deployment fails; performing the same operation via Azure CLI (which sends a hyphenated GUID) succeeds. For full context, logs, and discussion, please see: https://github.com/Azure/azure-dev/issues/5851

Observed error message

GetDeploymentSafeguardsFailed: The on behalf of token's correlation ID 'a161af237f2cd19acc115e06190a47f0' does not match with current correlation ID 'a161af23-7f2c-d19a-cc11-5e06190a47f0'.

To Reproduce Steps to reproduce the behavior:

  1. Run an AKS deployment via azd (e.g., azd up / azd provision) in an environment where Deployment Safeguards (AKS Automatic) are active. azd sends X-Ms-Correlation-Request-Id as a 32-hex, no-hyphen value.
  2. Observe the error above.
  3. Run the equivalent operation via Azure CLI (which sends a hyphenated GUID).
  4. Observe that the operation succeeds. (Exact commands, headers, and error output are in azd issue #5851.)

Expected behavior

  • If X-Ms-Correlation-Request-Id is used for validation, the comparison should be format-agnostic (ignore hyphens and case; compare the underlying 16-byte value).
  • If a specific string format (e.g., hyphenated GUID) is required, please document this explicitly.

Screenshots N/A. Redacted logs and header samples are available in azd issue #5851.

Environment (please complete the following information):

  • CLI Version: See azd issue #5851 for exact versions.
  • Kubernetes version: See azd issue #5851.
  • CLI Extension version: See azd issue #5851 (if applicable).
  • Browser: N/A

Additional context Two confirmation questions for the AKS team:

  1. Is X-Ms-Correlation-Request-Id used in Deployment Safeguards validation?
  2. If yes, does hyphen presence or letter case affect the comparison? Accepting both formats (by normalizing) or documenting the required format would improve interoperability.

torumakabe avatar Oct 06 '25 07:10 torumakabe

Any updates? This has been a blocker for adopting AKS Automatic.

torumakabe avatar Nov 14 '25 02:11 torumakabe

Any updates? This has been a blocker for adopting AKS Automatic.

torumakabe avatar Dec 14 '25 23:12 torumakabe

I just tested this issue and confirmed it still reproduces:

GetDeploymentSafeguardsFailed: The on behalf of token's correlation ID aa7860fa703f3c3295b36d95c8844cb1' does not match with current correlation ID 'aa7860fa-703f-3c32-95b3-6d95c8844cb1'

Could you please reopen this issue? The correlation ID format mismatch between azd (no hyphens) and AKS Deployment Safeguards (hyphenated GUID) is still blocking AKS Automatic deployments via azd.

torumakabe avatar Jan 22 '26 00:01 torumakabe