7

I'm getting the following error when I attempt to access a Key Vault from my local machine via

DefaultAzureCredential()

I'm running the following two lines, but I keep getting an error.

client = SecretClient(vault_url=<URL>, credential=DefaultAzureCredential())
secret = client.get_secret(<SECRET NAME>).value

azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
VisualStudioCodeCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2020-06-07T03:58:48.4708462Z and was inactive for 90.00:00:00.

I've tried logging into Azure via az login but this doesn't refresh the credential.

Edit: I've tried a few other configurations found in the documentation. What seems strange is the Azure CLI credentials work, since it looks like that's one of the scenarios that is handled by the default credentials.

et_al
  • 93
  • 1
  • 6
  • 2
    Have you tried to use [`AzureCliCredential()`](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.azureclicredential?view=azure-python) instead of `DefaultAzureCredential()`? – unknown Oct 08 '20 at 07:09
  • Thanks, @PamelaPeng - That work. Any idea why that the CLI Credential works when the Default one doesn't? Per the [documentation](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-identity/1.4.0/azure.identity.html#azure.identity.DefaultAzureCredential) it looks like the CLI is one of the cases that Default considers. – et_al Oct 08 '20 at 12:28

4 Answers4

13

If you use az login to access Key Vault, both AzureCliCredential() and DefaultAzureCredential() will work well in theory. But the error shows at VisualStudioCodeCredential() in your issue.

VisualStudioCodeCredential: If a user has signed in to the Visual Studio Code Azure Account extension, DefaultAzureCredential will authenticate as that user.

DefaultAzureCredential attempts to authenticate via the following mechanisms in this order, stopping when one succeeds:

enter image description here

So, you need to use AzureCliCredential() or set exclude_visual_studio_code_credential=true to make sure skip VisualStudioCode.

For more details about Azure Identity, see here.

unknown
  • 6,778
  • 1
  • 5
  • 14
  • 1
    My problem was similar, and the solution was to specify `exclude_shared_token_cache_credential=True` to force the application to use VisualStudioCodeCredential. Great. – Rafs Jul 12 '22 at 11:59
0

If you want it to be working with DefaultAzureCredential(), you need the following:-

  • Service principal
  • Give access to service principal in KeyVault access policy.

When you have done the above, you need to setup the following environment variables:-

  • AZURE_CLIENT_ID (this is clientID of the above service principal(sp))
  • AZURE_CLIENT_SECRET (this is client secret key of above sp)
  • AZURE_SUBSCRIPTION_ID (this is the subscription id in Azure.)
  • AZURE_TENANT_ID (this is Active directory ID)

To see all environment variables on windows, open command prompt type command "set" and press enter.

To set a environment variable on windows, for example you want to set up AZURE_CLIENT_ID variable with value jbfdshfbsdfbdsbdgbdjgbdfjbdfj , open command prompt type command "setx AZURE_CLIENT_ID jbfdshfbsdfbdsbdgbdjgbdfjbdfj" and press enter

it will not show the updated until you restart the command prompt.

Then restart the visual studio/ vs code where you are using DefaultAzureCredentials()

Pravesh Sharma
  • 1
  • 3
0

This is late, but perhaps it could help someone else avoid spending hours trying to figure this out. I work primarily in Java using Intellij, I kept getting the following error no matter what I did. I was logged in, via web, cli, intellij plugin, cleared identity cache, you name it.

com.azure.core.exception.ClientAuthenticationException: DefaultAzureCredential authentication failed. ---> VisualStudioCodeCredential authentication failed. Error Details: AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-10-15T12:45:38.0655988Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-11-29T19:36:56.0000000Z'.

While I did not 'solve' the issue, my work-around was just openning VS Code and signing in with the Azure Account plugin. Then I had no issue in Intellij. Note that VSCode had no project or code loaded in it either.

BgRva
  • 1,521
  • 12
  • 26
0

I received a similar error when attempting to connect to a Key Vault from an Azure Linux jump box. It had been over 90 days since I had last accessed the vault from this box. It turns out that I needed to do a new az login request to refresh my token though the error itself didn't specifically indicate this.

Nimblejoe
  • 1,219
  • 2
  • 12
  • 15