feathr icon indicating copy to clipboard operation
feathr copied to clipboard

Published 20 hours ago verified publisher icon feathr-ai

DefaultAzureCredential failed to retrieve a token from the included credentials.

Open l-sudarsan opened this issue 3 years ago • 3 comments
trafficstars

l-sudarsan avatar Aug 07 '22 05:08 l-sudarsan 

userId=<email_id_of_account_requesting_access>
resource_prefix=<resource_prefix>
synapse_workspace_name="${resource_prefix}syws"
keyvault_name="${resource_prefix}kv"
objectId=$(az ad user show --id $userId --query id -o tsv)
az keyvault update --name $keyvault_name --enable-rbac-authorization false
az keyvault set-policy -n $keyvault_name --secret-permissions get list --object-id $objectId
az role assignment create --assignee $userId --role "Storage Blob Data Contributor"
az synapse role assignment create --workspace-name $synapse_workspace_name --role "Synapse Contributor" --assignee $userId

Above step was performed as per the documentation but getting the error below:

Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue. ManagedIdentityCredential: request() got an unexpected keyword argument 'tenant_id'

l-sudarsan avatar Aug 07 '22 06:08 l-sudarsan

Hi @l-sudarsan , did you successfully execute az login command in previous? It should be able to provide an AzureCliCredential to DefaultAzureCredentail. You could refer to https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python for more details.

Yuqing-cat avatar Aug 08 '22 05:08 Yuqing-cat

Hi @Yuqing-cat I did execute az login --use-device-code and followed the 2-step authentication process, which was a success. I am getting error when calling retrieved_secret = client.get_secret(secretName).value I could check the secret in vault & did not get this error previously. I will check the links you have referred.

l-sudarsan avatar Aug 08 '22 15:08 l-sudarsan

@l-sudarsan - Default Credential has this chain of Authentication

  1. A service principal configured by environment variables. See EnvironmentCredential for more details.
  2. An Azure managed identity. See ManagedIdentityCredential for more details.
  3. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable AZURE_USERNAME is used to select which identity to use. See SharedTokenCacheCredential for more details.
  4. The user currently signed in to Visual Studio Code.
  5. The identity currently logged in to the Azure CLI.
  6. The identity currently logged in to Azure PowerShell.

Th error you are getting is sometimes due to stale logins in your environment, the DefaultAzureCredential tries to access it and fails to refresh a token. To force DefaultAzureCredential to skip this chain of auths so it goes all the way to CLI login you could do this in the notebook code

credential = DefaultAzureCredential(exclude_shared_token_cache_credential = True, exclude_visual_studio_code_credential = True )

jainr avatar Aug 12 '22 21:08 jainr