How to solve azure.core.exceptions.ClientAuthenticationError to get access token for Azure Database for MySQL?

Question

I read this article.

I can connect to Azure Database for MySQL using access token by executing both "az account get-access-token --resource https://ossrdbms-aad.database.windows.net" and "az account get-access-token --resource-type oss-rdbms"

And I tried to execute a sample code on Visual Studio Code to get access token for Azure Database for MySQL as follows(tests\integration\learn\test_LearnToGetToken.py):

import os  

import mysql.connector  
from azure.identity import DefaultAzureCredential  


class TestClass:  
    def test_get_token(self):  
        credential = DefaultAzureCredential()  

        token = credential.get_token("https://ossrdbms-aad.database.windows.net")  

        assert token  

However, I got azure.core.exceptions.ClientAuthenticationError as follows.

What's wrong? What am I missing?

./tests/integration/learn/test_LearnToGetToken.py::TestClass::test_get_token Failed: [undefined]azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_scope) AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://ossrdbms-aad.database.windows.net is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.
Trace ID: <trace_id_uuid>
Correlation ID: <correlation_id_uuid>
Timestamp: 2022-12-20 01:05:25Z'
Content: {"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://ossrdbms-aad.database.windows.net is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.\r\nTrace ID: <trace_id_uuid>\r\nCorrelation ID: <correlation_id_uuid>\r\nTimestamp: 2022-12-20 01:05:25Z","error_codes":[70011],"timestamp":"2022-12-20 01:05:25Z","trace_id":"<trace_id_uuid>","correlation_id":"<correlation_id_uuid>"}
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
self = <tests.integration.learn.test_LearnToGetToken.TestClass object at 0x00000206CC019F40>

Answer 1

Hi @Makoto Oda ,

Thanks for posting this question in Microsoft Q&A platform.

As I understand from the question, ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.

Please follow the troubleshoot guide in order understand the issue:

Verify the App Service managed identity endpoint is available
If you have access to SSH into the App Service, you can verify managed identity is available in the environment. First ensure the environment variables IDENTITY_ENDPOINT and IDENTITY_HEADER have been set in the environment. Then you can verify the managed identity endpoint is available using curl.

curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.core.windows.net&api-version=2018-02-01' -H "Metadata: true"  

Hope this helps. Please let us know if further queries.