0

I am trying to authenticate with the python SDK to pull Azure VNet data.

As a first step to verify that I can authenticate I am trying to use the subscription client to list subscriptions. I am creating a certificate credential to use for authentication.

When I make the call to list the subscriptions from the subscription client the call hangs seemingly indefinitely with no error returned. I am trying to authenticate to azure_gov. Here is the code:

import logging
import os
import boto3
from msrestazure.azure_cloud import AZURE_US_GOV_CLOUD as CLOUD
from azure.identity import CertificateCredential
from azure.mgmt.subscription import SubscriptionClient

# Setup logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
logging.basicConfig(level=logging.INFO)

# Constants
CERT_PATH = '/tmp/cert.pem'
AZURE_CERT_PATH = '/tmp/cert.pem'
AZURE_TENANT_ID = os.environ['AZURE_TENANT_ID']
AZURE_CLIENT_ID = os.environ['AZURE_CLIENT_ID']
AZURE_SDK_S3_BUCKET = os.environ['AZURE_SDK_S3_BUCKET']

s3 = boto3.client('s3')
s3.download_file(AZURE_SDK_S3_BUCKET, 'certs/cert.pem', CERT_PATH)

# Setup Azure credentials
credential = CertificateCredential(
   tenant_id=AZURE_TENANT_ID, 
   client_id=AZURE_CLIENT_ID, 
   certificate_path=AZURE_CERT_PATH, 
   authority=CLOUD.endpoints.active_directory)

logger.info(f'tenant_id  = {AZURE_TENANT_ID}, client_id = {AZURE_CLIENT_ID}')
logger.info(f'CLOUD: {CLOUD}')

sub_client = SubscriptionClient(
   credential=credential, 
   base_url=CLOUD.endpoints.resource_manager)
        
#Code times out here
subscription = next(sub_client.subscriptions.list())
logger.info(f'Fetched subscription {subscription.subscription_id}')

I have verified multiple times that the cert, tenant_id, and client_id all match what I see in active directory.

I've found the following posts from Microsoft: first post and second post, which both use the azure.mgmt.resource SubscriptionClient which gives no attribute 'signed_session' in the CertificateCredential when trying to use a CertificateCredential to setup the client.

I have found the following adapter for using the CertificateCredential class with this client and tried using it but it also gives me the same timeout issue on the next(sub_client.subscriptions.list) call.

EDIT:

I am still seeing issues with this, when things completely time out after the max number of retries I get the following error:

Attempted credentials:

EnvironmentCredential: Authentication failed: <urllib3.connection.HTTPSConnection object at 0x7fad94f116d8>: Failed to establish a new connection: [Errno 110] Connection timed out

I don't think it is an environment issue as I can log into the Azure CLI from the same instance.

Phil Dukhov
  • 67,741
  • 15
  • 184
  • 220
Bryan Fennell
  • 1
  • 1
  • "no attribute 'signed_session'" means you are using an old azure-mgmt-resource. In order for azure-identity to work, you need at least v15.0.0 (latest the better). In doubt, please create an issue https://github.com/Azure/azure-sdk-for-python/issues – Laurent Mazuel Sep 10 '21 at 19:21
  • This does fix the issue that I was seeing with "no attribute 'signed_session'" so thank you, but I am still seeing the connection just hang and I am not sure why. – Bryan Fennell Sep 15 '21 at 12:06

0 Answers0