Occassional error authenticating to KeyVault

Question

Occassional error authenticating to KeyVault

Derek de Rie 6

Hi there,

I am running Docker images, which are launched from Logic Apps. Occasionally (by my estimation around 5%), my runs fail, because the code is not able to authenticate using DefaultAzureCredentials(). I get the following error:

azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
 EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
 ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
 SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
 VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
 AzureCliCredential: Azure CLI not found on path
 AzurePowerShellCredential: PowerShell is not installed
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

The images should be using the ManagedIdentityCredential, but as the error says, the "IMDS endpoint" is unavailable. I build in some checks that re-try the call 10 seconds later (and keep iterating), but this keeps failing.

I searched everywhere for this problem, but I cannot find it. I also have no idea what is the problem. The images I'm running are not changing, the Logic App is not changing, so something externally must be wrong right? All helps is very, very much appreciated.

Siva-kumar-selvaraj 15,721 Reputation points

2022-05-12T04:53:49.287+00:00

@Derek de Rie ,
I'd want to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.

---
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Derek de Rie 6 Reputation points

2022-05-31T07:50:44.453+00:00

Hi @sikumars-msft ,
Unfortunately I'm still stuck. I have contacted AzCommunity[at]Microsoft[dot]com but I'm not getting any reply. I have tested many other things, but still, there's the occasional error (around 5% of the time). When the error occurs, I let the application wait for 10 seconds, and try again, but it keeps failing. I think this has to do with the Logic App that I'm running, but its almost impossible to find out how and why this is happening.

I'm using Azure Logic Apps to deploy a container to the Azure Container Instances. I believe that sometimes these containers are misconfigured in some way (I don't know in which way). But it also feels out of my control to fix it. I believe it would be best to look closely at this issue with someone that works with the Logic App service, because it might be a bug in the system.

best,
Derek

2 answers

Your answer

Siva-kumar-selvaraj 15,721 Reputation points

2022-05-12T04:53:49.287+00:00

@Derek de Rie ,
I'd want to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.

---
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Derek de Rie 6 Reputation points

2022-05-31T07:50:44.453+00:00

Hi @sikumars-msft ,
Unfortunately I'm still stuck. I have contacted AzCommunity[at]Microsoft[dot]com but I'm not getting any reply. I have tested many other things, but still, there's the occasional error (around 5% of the time). When the error occurs, I let the application wait for 10 seconds, and try again, but it keeps failing. I think this has to do with the Logic App that I'm running, but its almost impossible to find out how and why this is happening.

I'm using Azure Logic Apps to deploy a container to the Azure Container Instances. I believe that sometimes these containers are misconfigured in some way (I don't know in which way). But it also feels out of my control to fix it. I believe it would be best to look closely at this issue with someone that works with the Logic App service, because it might be a bug in the system.

best,
Derek

Answer 1

Hello @Derek de Rie ,

Thanks for reaching out.

Based on my search on above error message, this issue might have caused by the shared token cache so would recommend you to use “exclude_shared_token_cache_credential=True” to exclude the shared token cache.

Based on my investigation of the above error message, I believe the issue might have caused by the shared token cache, thus I recommend that you use "exclude shared token cache credential=True" to exclude the shared token cache, because DefaultAzureCredential is based on Azure Identity client library. You could skip the shared cache.

Example:
DefaultAzureCredential(connection_verify=False, exclude_shared_token_cache_credential=True)
secret_client = SecretClient(vault_url="https://testvaul1234.vault.azure.net/", credential=credential, connection_verify=False)
secret = secret_client.get_secret("mysecret")

Here are similar issues for your reference. If non of these help you fix the issue, I'd recommend opening an issue with the azure-sdk-for-python team so their experts can take a closer look into your issue.
https://learn.microsoft.com/en-us/answers/questions/604691/access-key-vault-using-user-managed-identities.html
https://stackoverflow.com/questions/67165101/azure-chainedtokencredential-fails-after-password-change

If you don't have support plan, please send an email to AzCommunity[at]Microsoft[dot]com referencing this thread and your subscription id so that we will help you get a one-time free technical support. Hope this helps.

Feel free to tag me If you have any other questions. Thank you for your time and patience throughout this issue.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Derek de Rie 6 Reputation points

2022-05-13T12:09:01.043+00:00

Hi @sikumars-msft ,

I wanted to thank you for your answer! Unfortunately it is a hard issue to solve, because it only fails sometimes. I changed the code per your example, but now I have witnessed the same error again, ecen using "exclude_shared_token_cache_credential=True".

What I did was also repeat the call in case of any failure, and my container keeps on failing if this happens. So I'm not sure whether this is a problem with azure-sdk-for-python, or simply something going wrong in the creation of my containers. The containers are created using Azure Logic Apps, and run on Azure Container Instances.

If you have any other ideas, let me know! I will write the e-mail as you suggested as well.

best,
Derek

Answer 2

Rafi Trad 66

Hello all,
Any update on this issue? I am facing it as well.
Locally, everything runs smoothly. When I put the code on Azure Synapse jobs, it fails. I am using a user-assigned managed identity and all privileges are granted. I am trying to access an Azure Key Vault.

Please advise and thank you.

Share via

Occassional error authenticating to KeyVault

2 answers

Your answer