Occassional error authenticating to KeyVault

Derek de Rie 6 Reputation points
2022-04-24T12:22:08.07+00:00

Hi there,

I am running Docker images, which are launched from Logic Apps. Occasionally (by my estimation around 5%), my runs fail, because the code is not able to authenticate using DefaultAzureCredentials(). I get the following error:

azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
 EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
 ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
 SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
 VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
 AzureCliCredential: Azure CLI not found on path
 AzurePowerShellCredential: PowerShell is not installed
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

The images should be using the ManagedIdentityCredential, but as the error says, the "IMDS endpoint" is unavailable. I build in some checks that re-try the call 10 seconds later (and keep iterating), but this keeps failing.

I searched everywhere for this problem, but I cannot find it. I also have no idea what is the problem. The images I'm running are not changing, the Logic App is not changing, so something externally must be wrong right? All helps is very, very much appreciated.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2022-04-26T11:23:53.223+00:00

    Hello @Derek de Rie ,

    Thanks for reaching out.

    Based on my search on above error message, this issue might have caused by the shared token cache so would recommend you to use “exclude_shared_token_cache_credential=True” to exclude the shared token cache.

    Based on my investigation of the above error message, I believe the issue might have caused by the shared token cache, thus I recommend that you use "exclude shared token cache credential=True" to exclude the shared token cache, because DefaultAzureCredential is based on Azure Identity client library. You could skip the shared cache.

    Example:
    DefaultAzureCredential(connection_verify=False, exclude_shared_token_cache_credential=True)
    secret_client = SecretClient(vault_url="https://testvaul1234.vault.azure.net/", credential=credential, connection_verify=False)
    secret = secret_client.get_secret("mysecret")

    Here are similar issues for your reference. If non of these help you fix the issue, I'd recommend opening an issue with the azure-sdk-for-python team so their experts can take a closer look into your issue.
    https://learn.microsoft.com/en-us/answers/questions/604691/access-key-vault-using-user-managed-identities.html
    https://stackoverflow.com/questions/67165101/azure-chainedtokencredential-fails-after-password-change

    If you don't have support plan, please send an email to AzCommunity[at]Microsoft[dot]com referencing this thread and your subscription id so that we will help you get a one-time free technical support. Hope this helps.

    Feel free to tag me If you have any other questions. Thank you for your time and patience throughout this issue.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Rafi Trad 66 Reputation points
    2022-07-13T17:25:44.47+00:00

    Hello all,
    Any update on this issue? I am facing it as well.
    Locally, everything runs smoothly. When I put the code on Azure Synapse jobs, it fails. I am using a user-assigned managed identity and all privileges are granted. I am trying to access an Azure Key Vault.

    Please advise and thank you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.