WorkloadIdentityCredential missing in DefaultAzureCredential
alsastre opened this issue · 4 comments
- Package Name: azure-identity
- Package Version: 1.16.0
- Operating System: Linux
- Python Version: 3.12.3
Describe the bug
According to the documentation WorkloadIdentityCredential is included on the Default Credential which is not.
To Reproduce
Steps to reproduce the behavior:
- Given the following env vars:
- AZURE_CLIENT_ID
- AZURE_TENANT_ID
- AZURE_FEDERATED_TOKEN_FILE
The following code fails to obtain a valid credential
credential = WorkloadIdentityCredential()
And the following does
credential = WorkloadIdentityCredential()
Expected behavior
I would expect that if the exclude_workload_identity_credential
is not provided, Workload identity should work with Default Credential.
Screenshots
Stacktrace upon failing:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource. Error: Unexpected response "{'error': 'invalid_request', 'error_description': 'Identity not found'}"
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Traceback (most recent call last):
File "/opt/docker/generate-template.py", line 41, in <module>
Processing templates for mx-datagendbflex-acc1-kyc-westeurope...
instance['client_keys'] = get_secrets(instance['client_keys'])
File "/opt/docker/generate-template.py", line 16, in get_secrets
res.update({user: client.get_secret(secret).value})
File "/usr/local/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_client.py", line 64, in get_secret
bundle = self._client.get_secret(
File "/usr/local/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_generated/_operations/_operations.py", line 751, in get_secret
pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 230, in run
return first_node.send(pipeline_request)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
response = self.next.send(request)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_retry.py", line 531, in send
response = self.next.send(request)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 135, in send
request_authorized = self.on_challenge(request, response)
File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 137, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 113, in authorize_request
self._token = self._credential.get_token(*scopes, **kwargs)
File "/usr/local/lib/python3.10/site-packages/azure/identity/_credentials/default.py", line 225, in get_token
token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
File "/usr/local/lib/python3.10/site-packages/azure/identity/_credentials/chained.py", line 124, in get_token
raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource. Error: Unexpected response "{'error': 'invalid_request', 'error_description': 'Identity not found'}"
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Additional context
For anyone trying to setup Workload Identity with Azure pipelines, this setup with which I managed to perform login on an Azure Devops Task pipeline:
- task: AzureCLI@2
displayName: "Generate templates"
inputs:
addSpnToEnvironment: true
azureSubscription: ${{ parameters.sc }}
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "$idToken" > /shared-data/tokenfile.json
docker run --rm \
-v /shared-data/tokenfile.json:/opt/docker/tokenfile.json \
-e "AZURE_CLIENT_ID=$servicePrincipalId" \
-e "AZURE_TENANT_ID=$tenantId" \
-e "AZURE_FEDERATED_TOKEN_FILE=/opt/docker/tokenfile.json" \
mytemplategeneratorimage:${{ parameters.generatorVersion }}
and on my mytemplategeneratorimage the following python code.
credential = WorkloadIdentityCredential()
Although it seems they have recently implemented #32143 which would also work (but also is not included in the DefaultAzureCredential helper) but that is not yet released nor the documentation updated
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Thanks for reaching out.
In order to make WorkloadIdentity in DefaultAzureCredential, please also set the env var AZURE_AUTHORITY_HOST .
Hi @alsastre. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.