0

I am trying to write a python script to read secrets from Azure Key Vault. I am facing an issue with authentication when using SecretClient class.

My code is the below:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient


CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
    vault_url="https://my_vault_name.vault.azure.net/",
    credential=CREDENTIAL
)

secret = client.get_secret('my_secret_name')

The error I am getting is as follows:

EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.

ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.

SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add "*" to additionally_allowed_tenants to allow acquiring tokens for any tenant.

I created Managed Identity in Azure Portal and 'assigned it' to my Key Vault with all possible permissions.

I've tried the below as well:

CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')

and

CREDENTIAL = ManagedIdentityCredential()

but I'm getting the same ManagedIdentityCredential error as above.

Please note that I am trying to run the code on my local machine. What's more, I've tried using DefaultAzureCredential() class for scripts to upload a file to my blob or list all my resources and it works ok so it's seems like there is an issue with the SecretClient class specifically. I do not want to use environmental variables for security reasons as the script will be ran in prod environment.

I am also able to list my secrets using Azure CLI.

I would appreciate any ideas and tips on how to tackle this issue.

KingWolin
  • 13
  • 3
  • Have you assigned your account access to KeyVault? By your account I mean the account with which you logged in into Azure CLI/PowerShell/Visual Studio/VS Code. – Gaurav Mantri Mar 09 '23 at 09:13
  • Yes, when I go to my Key Vault --> Access Policies I can see my user account under USER section as well as managed identity under APPLICATION. Both with all permissions listed. – KingWolin Mar 09 '23 at 09:19
  • Thanks. Are you logged in into Azure on your local machine? – Gaurav Mantri Mar 09 '23 at 09:22
  • Yes, I am logged via Azure Portal. I have also tried the same code in VSCode after logging into Azure there (I can see my subscription in left panel etc) but I get the same error. – KingWolin Mar 09 '23 at 09:32

1 Answers1

1

I decided to focus more on the following error msg:

SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74----62. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add "" to additionally_allowed_tenants to allow acquiring tokens for any tenant.*

I have added a parameter as below:

CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=['*'])

and it worked fine. I have also logged using Azure CLI before re-running the code so it might have had an impact as well.

Thank you all for the comments/answers.

Marcelo Paco
  • 2,732
  • 4
  • 9
  • 26
KingWolin
  • 13
  • 3