Azure Key-Vault and Python and fetching secret

grajee 341 Reputation points
2021-11-09T04:40:59.057+00:00

All,

I'm trying to fetch the secret from python but it is giving me the below error. This is my personal account of Azure and I'm running it from Azure Data Studio.

grajee

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

keyVaultName = "kvnewsecrets"
KVUri = f"https://{keyVaultName}.vault.azure.net"
print (KVUri)

credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)
client = SecretClient(vault_url=KVUri, credential=credential)

secretName = "testlogin"
#secretValue = input("Input a value for your secret > ")

print(f"Retrieving your secret from {keyVaultName}.")

retrieved_secret = client.get_secret(secretName)

print(f"Your secret is '{retrieved_secret.value}'.")
print(f"Deleting your secret from {keyVaultName} ...")

print(" done.")

Here is the error produced:

DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-07-22T00:17:39.8522120Z and was inactive for 90.00:00:00.
Trace ID: dcbe8886-1276-42ff-b10a-326db98ef300
Correlation ID: 23551383-9457-4567-81e9-d1afa1ef6a29
Timestamp: 2021-11-09 04:29:02Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
https://kvnewsecrets.vault.azure.net
Retrieving your secret from kvnewsecrets.

ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.

Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-07-22T00:17:39.8522120Z and was inactive for 90.00:00:00.
Trace ID: dcbe8886-1276-42ff-b10a-326db98ef300
Correlation ID: 23551383-9457-4567-81e9-d1afa1ef6a29
Timestamp: 2021-11-09 04:29:02Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,124 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rafi Trad 61 Reputation points
    2022-07-13T17:36:08.937+00:00

    If you are running this locally, try to avoid using the shared cache. If you think of deploying this to Azure, and you want to use your own user-assigned managed identity, you can also specify the client ID of your user-assigned managed identity (after attaching it to your Azure resource which will access the Key Vault). Here's how to do both in one shot: 

       credential = DefaultAzureCredential(  
               exclude_shared_token_cache_credential=True,  
               managed_identity_client_id="???")
    3 people found this answer helpful.
    0 comments
  2. JamesTran-MSFT 36,376 Reputation points Microsoft Employee
    2021-11-09T23:11:42.44+00:00

    @grajee
    Thank you for your post!

    Based off your error message - EnvironmentCredential authentication unavailable. Environment variables are not fully configured., it looks like your environment variables might not be configured. The EnvironmentCredential supports Service Principal authentication and Username + Password authentication. To utilize the desired way of authentication via EnvironmentCredential, you need to ensure the environment variables below are configured properly and the application is able to read them. For more info - Troubleshooting Environment Credential Authentication Issues

    148001-image.png

    Similar issue - Access key vault using user managed identities

    If you're still experiencing issues after configuring your Environment Credentials, I'd recommend opening an issue with the azure-sdk-for-python team so their experts can take a closer look into your issue.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.