0

I am following the Microsoft documentation to retrieve secrets from a key vault using python sdk.

The code and explanation offered by Microsoft leads to this code:

import os
import cmd
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential


keyvault_name = f'https://<Keyvaultname>.vault.azure.net/'
KeyVaultName = "<Keyvaultname>"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=keyvault_name, credential=credential)



print(" done.")

print(f"Retrieving your secret from {KeyVaultName}.")

retrieved_secret = client.get_secret("test")

print(f"Your secret is '{retrieved_secret.value}'.")

According to my understanding, the DefaultCredentials are the one configured in the az login which is fine, my code runs just fine but I keep getting this message in the terminal.

 done.
Retrieving your secret from <KeyvaultName>.
EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. Multiple accounts
were found in the cache. Use username and tenant id to disambiguate.

I presume that this warnings are due the fact that I have multiple subscription in my azure portal.

I was wondering, how can I get rid of those and set the credentials for only a single subscription?

Thank you so much for any help and explanation you can offer me.

Nayden Van
  • 1,133
  • 1
  • 23
  • 70
  • If I understand correctly, you're able to get the secrets properly. Only thing you're concerned about is this warning message. Am I right? – Gaurav Mantri Oct 06 '21 at 15:51
  • Yes, I am able to get the secret back but that warning keeps getting in the way – Nayden Van Oct 06 '21 at 15:52
  • Also, you would always want to use Azure CLI credentials in your code? – Gaurav Mantri Oct 06 '21 at 15:52
  • In the future I would like to move this logic to a azure function – Nayden Van Oct 06 '21 at 15:53
  • Then in that case, I would not worry about this warning. Essentially when you use `DefaultAzureCredential`, the SDK tries a number of credential options in a particular order. It moves from one to next if one credential option fails. You can see that order here - https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet. – Gaurav Mantri Oct 06 '21 at 15:55

1 Answers1

1

Generally speaking, I would not worry about this warning. When you use DefaultAzureCredential, SDK tries the following credential options in that order (Reference):

  • EnvironmentCredential
  • ManagedIdentityCredential
  • SharedTokenCacheCredential
  • VisualStudioCredential
  • VisualStudioCodeCredential
  • AzureCliCredential
  • AzurePowerShellCredential
  • InteractiveBrowserCredential

SDK moves from one credential options to another if that credential option fails. The warning message is just a way for the SDK to tell you what all credential options it has tried.

However if you still want to get rid of this message, there are a few options available to you:

  • Exclude the credential options that you do not want SDK to try when using DefaultAzureCredential. You can specify those via exclude_xxx_credential option in the constructor. For example, if you want to exclude EnvironmentCredential, you would specify exclude_environment_credential=True in the DefaultAzureCredential constructor. SDK will skip those credential methods. Please see this link for all constructor options.
  • Use specific credential option. For example, if you always want to use Azure CLI credentials, then instead of using DefaultAzureCredential you can use AzureCliCredential.
Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241