DefaultAzureCredential says ManagedIdentityCredential not assigned to resource but IT IS
I have created a User-Assigned Managed Identity in the Azure Portal. It is connected to:
- a batch account,
- a data factory, and
- a logic app
I have also granted this Managed Identity the Key Vault Secret Reader role to my Azure Key Vault
Lastly, I added the Managed Identity credentials to the data factory and successfully added the Key Vault as a Linked Service using the Managed Identity to authenticate:
However, when I run this python script from the Data Factory:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
KVUri = "https://earc-d-kv-valkyrie.vault.azure.net"
credential = DefaultAzureCredential(
managed_identity_client_id='xxxxx',
additionally_allowed_tenants=['*']
)
client = SecretClient(vault_url=KVUri, credential=credential)
secretName = 'xxxx'
retrieved_secret = client.get_secret(name=secretName)
I get this error:
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Traceback (most recent call last):
File "read_secret.py", line 13, in <module>
retrieved_secret = client.get_secret(name=secretName)
File "/usr/local/lib/python3.8/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
bundle = self._client.get_secret(
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 760, in get_secret
pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 227, in run
return first_node.send(pipeline_request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_redirect.py", line 184, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_retry.py", line 473, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_authentication.py", line 131, in send
request_authorized = self.on_challenge(request, response)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 112, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_authentication.py", line 109, in authorize_request
self._token = self._credential.get_token(*scopes, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/identity/_credentials/default.py", line 225, in get_token
token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/identity/_credentials/chained.py", line 123, in get_token
raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
But per everything shown above I HAVE assigned this Managed Identity to the resource (ADF).
Troubleshooting done so far:
- copied and recopied the client ID from the Managed Identity
- used Logic App to read the secret via the Managed Identity and it works
- used ManagedIdentityCredential() instead of DefaultAzureCredential()
- added additionally_allowed_tenants=['*']
- set verify_challenge_resource=False
- rebooted the node
What do I need to do for my python script to work?