Failed to Azure.Identity.ClientSecretCredential.GetTokenAsync()

Question

Failed to Azure.Identity.ClientSecretCredential.GetTokenAsync()

Mindaugas Atkociunas 20

Hello,

I am not able to retrieve secrets from Azure KeyVault, something is broken recently.

There is app registered in Azure EntraID. This app is assigned Azure KeyVault "Key Vault Secrets User" role.

The code example:
var secrets = new List<Secret>();
var credential = new ClientSecretCredential(_tenantId, _clientId, _clientSecret);
var client = new SecretClient(new Uri(_keyVaultUrl), credential);
await foreach (SecretProperties secretProperties in client.GetPropertiesOfSecretsAsync())
{
if (secretProperties.Name.StartsWith("datasource-"))
{
KeyVaultSecret secret = await client.GetSecretAsync(secretProperties.Name);
var dsSecret = new Secret
{
Name = secretProperties.Name,
Value = secret.Value
};
secrets.Add(dsSecret);
}
}

Error:
ClientSecretCredential authentication failed: at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) ...

What is interesting that this code worked several days ago and now it fails.

Does someone have any ideas?

Kancharla Saiteja 4,595 Reputation points Microsoft External Staff Moderator

2025-05-05T13:16:37.0933333+00:00

Hi @Mindaugas Atkociunas,

Based on your query, here is my understanding: I see that you have received ClientSecretCredential authentication failed while trying to retrieve key vault secrets using a managed identity.

Your application registration has been used as a managed have a client id and client secret which are used to retrieve the token. Could you please check whether client secret is up to date or expired. If the secret got expired or changed you may need to update the code snippet with a new client secret. Could you please check the information and let me know if that helps. You can also refer the following document: ClientSecretCredential.GetTokenAsync Method

If this does not help you, could you please share the document you have used for the code snippet, I would like to touch base each and every step in order to check on the same from my end and update you accordingly. Also, kindly check your private messages for other details.

Accepted answer

0 additional answers

Your answer

Kancharla Saiteja 4,595 Reputation points Microsoft External Staff Moderator

2025-05-05T13:16:37.0933333+00:00

Hi @Mindaugas Atkociunas,

Based on your query, here is my understanding: I see that you have received ClientSecretCredential authentication failed while trying to retrieve key vault secrets using a managed identity.

Your application registration has been used as a managed have a client id and client secret which are used to retrieve the token. Could you please check whether client secret is up to date or expired. If the secret got expired or changed you may need to update the code snippet with a new client secret. Could you please check the information and let me know if that helps. You can also refer the following document: ClientSecretCredential.GetTokenAsync Method

If this does not help you, could you please share the document you have used for the code snippet, I would like to touch base each and every step in order to check on the same from my end and update you accordingly. Also, kindly check your private messages for other details.

Answer 1

Hi @Mindaugas Atkociunas,

Based on your query, here is my understanding: I see that you have received ClientSecretCredential authentication failed while trying to retrieve key vault secrets using a managed identity.

As per the discussion with our team, I believe you have also had an update on the issue.

Here is the summary: Based on azure windows container instance doc, there are some limitations with windows container and managed identity, because the metadata server, which is used to retrieve token for managed identity, is not available on windows containers.

According to the doc, you'll need to manually get the token for your identity and then use that token to access key vault objects, as illustrated in below screenshot (from above link).

Also note that, this won't work if your container is integrated with a VNET or the SDK used by your program depends on metadata server. Since this is a limitation, you may not be able to retrieve the token as you get it for Linux.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Share via

Failed to Azure.Identity.ClientSecretCredential.GetTokenAsync()

0 additional answers

Your answer