Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,160 questions
DefaultAzureCredential says ManagedIdentityCredential not assigned to resource but IT IS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 24%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Keatra Nesbitt
15
Reputation points
I have created a User-Assigned Managed Identity in the Azure Portal. It is connected to:
- a batch account,
- a data factory, and
- a logic app
I have also granted this Managed Identity the Key Vault Secret Reader role to my Azure Key Vault
Lastly, I added the Managed Identity credentials to the data factory and successfully added the Key Vault as a Linked Service using the Managed Identity to authenticate:
However, when I run this python script from the Data Factory:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
KVUri = "https://earc-d-kv-valkyrie.vault.azure.net"
credential = DefaultAzureCredential(
managed_identity_client_id='xxxxx',
additionally_allowed_tenants=['*']
)
client = SecretClient(vault_url=KVUri, credential=credential)
secretName = 'xxxx'
retrieved_secret = client.get_secret(name=secretName)
I get this error:
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Traceback (most recent call last):
File "read_secret.py", line 13, in <module>
retrieved_secret = client.get_secret(name=secretName)
File "/usr/local/lib/python3.8/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
bundle = self._client.get_secret(
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 760, in get_secret
pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 227, in run
return first_node.send(pipeline_request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/_base.py", line 89, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_redirect.py", line 184, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_retry.py", line 473, in send
response = self.next.send(request)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_authentication.py", line 131, in send
request_authorized = self.on_challenge(request, response)
File "/usr/local/lib/python3.8/dist-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 112, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/usr/local/lib/python3.8/dist-packages/azure/core/pipeline/policies/_authentication.py", line 109, in authorize_request
self._token = self._credential.get_token(*scopes, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/identity/_credentials/default.py", line 225, in get_token
token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/azure/identity/_credentials/chained.py", line 123, in get_token
raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Azure CLI not found on path
AzurePowerShellCredential: PowerShell is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
But per everything shown above I HAVE assigned this Managed Identity to the resource (ADF).
Troubleshooting done so far:
- copied and recopied the client ID from the Managed Identity
- used Logic App to read the secret via the Managed Identity and it works
- used ManagedIdentityCredential() instead of DefaultAzureCredential()
- added additionally_allowed_tenants=['*']
- set verify_challenge_resource=False
- rebooted the node
What do I need to do for my python script to work?
{count} votes
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,351 Reputation points2023-08-24T04:27:43.7333333+00:00 Hello @Keatra Nesbitt , I will be working on this thread and will come back to you ASAP to gather more details or provide a solution.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 15%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
ylei 5 Reputation points Microsoft Employee2023-09-28T01:41:56.22+00:00 i got the same error
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 68%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Alberto Ramon 21 Reputation points2023-10-21T22:49:55.5933333+00:00 I have the same error from SSMS (VM on Azure)
@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA Is this solved? or is my fault?
(With SYSTEM MI is OK, but USER MI = ERROR)
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 25%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Lee Taylor 31 Reputation points2023-12-20T21:21:35.37+00:00 According to this article you need to User the Client ID (GUID/Unique Identifier) as the User Id, however I cannot get it to work either.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,351 Reputation points
2023-12-31T23:16:13.5933333+00:00 Hello @Keatra Nesbitt , apologies for the delay. Do you still need help with this?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Aditi Shah 20 Reputation points2024-01-31T21:07:02.4733333+00:00 I have the same error when I try to access the data asset from sdk. Please help.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,351 Reputation points
2024-01-31T21:27:38.9066667+00:00 Hello Aditi, please post your issue as a new question including, if possible, the error as literal/raw text and mention me.
-
Lee Taylor 31 Reputation points
2024-01-31T21:34:00.3633333+00:00 I have this issue as well and Microsoft Support has been "Working" on it since early December 2023, and still have not solved this issue. It keeps getting passed from group to group, and gets escalated etc. Still Nothing. So at this point I will just say IT DOES NOT WORK. I am beginning to explore other alternatives to meet my needs.
-
Aditi Shah 20 Reputation points
2024-01-31T21:37:30.13+00:00 here is my question posted again, Pls help.
-
Aditi Shah 20 Reputation points
2024-01-31T21:39:45.7166667+00:00 @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA my question was deleted unfortunately in a second.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,351 Reputation points
2024-01-31T22:14:35.3566667+00:00 Hello Aditi Shah, I've undeleted it: https://learn.microsoft.com/en-us/answers/questions/1520745/error-while-connecting-to-azure-ml-data-asset-usin?comment=question#newest-question-comment Sorry to hear about that Lee Taylor , pleas ask your support case to be re-activated and assigned to me, Alfredo Revilla.
Sign in to comment