Azure Key-Vault and Python and fetching secret

asked 2021-11-09T04:40:59.057+00:00
grajee 331 Reputation points

All,

I'm trying to fetch the secret from python but it is giving me the below error. This is my personal account of Azure and I'm running it from Azure Data Studio.

grajee

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

keyVaultName = "kvnewsecrets"
KVUri = f"https://{keyVaultName}.vault.azure.net"
print (KVUri)

credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)
client = SecretClient(vault_url=KVUri, credential=credential)

secretName = "testlogin"
#secretValue = input("Input a value for your secret > ")

print(f"Retrieving your secret from {keyVaultName}.")

retrieved_secret = client.get_secret(secretName)

print(f"Your secret is '{retrieved_secret.value}'.")
print(f"Deleting your secret from {keyVaultName} ...")

print(" done.")

Here is the error produced:

DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-07-22T00:17:39.8522120Z and was inactive for 90.00:00:00.
Trace ID: dcbe8886-1276-42ff-b10a-326db98ef300
Correlation ID: 23551383-9457-4567-81e9-d1afa1ef6a29
Timestamp: 2021-11-09 04:29:02Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
https://kvnewsecrets.vault.azure.net
Retrieving your secret from kvnewsecrets.

ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.

Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-07-22T00:17:39.8522120Z and was inactive for 90.00:00:00.
Trace ID: dcbe8886-1276-42ff-b10a-326db98ef300
Correlation ID: 23551383-9457-4567-81e9-d1afa1ef6a29
Timestamp: 2021-11-09 04:29:02Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
656 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2022-07-13T17:36:08.937+00:00
    Rafi Trad 36 Reputation points

    If you are running this locally, try to avoid using the shared cache. If you think of deploying this to Azure, and you want to use your own user-assigned managed identity, you can also specify the client ID of your user-assigned managed identity (after attaching it to your Azure resource which will access the Key Vault). Here's how to do both in one shot:

       credential = DefaultAzureCredential(  
                   exclude_shared_token_cache_credential=True,  
                   managed_identity_client_id="???")  
    
    No comments

  2. answered 2021-11-09T23:11:42.44+00:00
    JamesTran-MSFT 26,521 Reputation points Microsoft Employee

    @grajee
    Thank you for your post!

    Based off your error message - EnvironmentCredential authentication unavailable. Environment variables are not fully configured., it looks like your environment variables might not be configured. The EnvironmentCredential supports Service Principal authentication and Username + Password authentication. To utilize the desired way of authentication via EnvironmentCredential, you need to ensure the environment variables below are configured properly and the application is able to read them. For more info - Troubleshooting Environment Credential Authentication Issues

    148001-image.png

    Similar issue - Access key vault using user managed identities

    If you're still experiencing issues after configuring your Environment Credentials, I'd recommend opening an issue with the azure-sdk-for-python team so their experts can take a closer look into your issue.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.