Azure SP authentication in Python using JSON file: Invalid client secret is provided

Ben Davis 96 Reputation points
2020-12-20T02:13:38.877+00:00

I'm attempting to authenticate with Azure DNS using a service principal I created, but I'm getting an authentication error. What am I doing wrong?

Here is how I created the SP:

az ad sp create-for-rbac --name az-dns-manager --skip-assignment --sdk-auth > az-dns-credentials.json
az role assignment create --asssignee "$CLIENT_ID_FROM_JSON" --role "DNS Zone Contributor" --scope "$AZ_DNS_SCOPE"

And here is how I'm authenticating in Python:

from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.dns import DnsManagementClient

dns_client = get_client_from_auth_file(
    DnsManagementClient, auth_path='az-dns-credentials.json')
dns_client.record_sets.create_or_update(...)

I then get the following error:

msrest.exceptions.AuthenticationError: Get Token request returned http error:
401 and server response:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client
secret is provided.\r\nTrace ID:
e4ac8241-49c0-457f-9b8f-1d41c4fd0600\r\nCorrelation ID:
6be25bc7-01e4-4ce5-a26f-8da0e02b4a64\r\nTimestamp: 2020-12-19
22:55:00Z","error_codes":[7000215],"timestamp":"2020-12-19
22:55:00Z","trace_id":"e4ac8241-49c0-457f-9b8f-1d41c4fd0600","correlation_id":"6be25bc7-01e4-4ce5-a26f-8da0e02b4a64","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,381 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ben Davis 96 Reputation points
    2020-12-20T19:07:22.86+00:00

    Not sure what I did wrong before, but it seems to be working now. I used the following commands:

    az ad sp create-for-rbac --name ide-cert-manager --skip-assignment --sdk-auth > ide-cert-manager-auth.json;
    CLIENT_ID=$(cat ide-cert-manager-auth.json | jq -r .clientId);
    DNS_ID=$(az network dns zone show --name ide.boldidea.org --resource-group ideResourceGroup --query "id" --output tsv);
    az role assignment create --assignee "$CLIENT_ID" --role "DNS Zone Contributor" --scope "$DNS_ID";
    
    0 comments No comments

0 additional answers

Sort by: Most helpful