Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

KustoClient requesting a new token on every request when using Managed Service Identity

See original GitHub issue

Code Sample, a copy-pastable example if possible

cluster_url = "myclusterurl"
kcsb = KustoConnectionStringBuilder.with_aad_managed_service_identity_authentication(           cluster_url)
client = KustoClient(kcsb)

# Run a query. A call to the /msi/token endpoint is made.
# Then, a few lines below, run another query. Another call to /msi/token endpoint is made.
# Then, again, another query. Another call to /msi/token endpoint is made.

Problem description

I have a Python Azure Function which is instantiating a new kusto client using managed service identity and running some queries with it.

The problem is that the library is requesting a token on each call instead of just on the first one and then reusing the token. In my logs I can see the following request being made before every query I make on the cluster:

GET http://localhost:8081/msi/token/?resource=https://myclustername.westus2.kusto.windows.net&api-version=2017-09-01 [200]

Every once in a while I get the following error:

MSI: Failed to retrieve a token from 'http://localhost:8081/msi/token/?resource=https://myclustername.westus2.kusto.windows.net&api-version=2017-09-01' with an error of '{"statusCode":503,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"431d234c-678d-4ce7-be3a-06da7482b547"}'.

Azure supports says this error is caused by a lot of requests to that endpoint in a short period of time.

Just to clarify, the library is requesting a new token before every kusto query call inside the same function invocation. So this is not an issue caused by multiple function invocations instantiating a new kusto client and exceeding the MSI token endpoint rate limit.

–

Output of `pip freeze`

adal==1.2.2 astroid==2.3.3 autopep8==1.5 azure-common==1.1.25 azure-core==1.2.1 azure-functions==1.2.0 azure-kusto-data==0.0.44 azure-kusto-ingest==0.0.44 azure-storage-blob==2.1.0 azure-storage-common==2.1.0 azure-storage-queue==2.1.0 certifi==2019.11.28 cffi==1.13.2 chardet==3.0.4 colorama==0.4.3 cryptography==2.8 idna==2.8 isodate==0.6.0 isort==4.3.21 lazy-object-proxy==1.4.3 mccabe==0.6.1 msrest==0.6.11 msrestazure==0.6.2 numpy==1.18.2 oauthlib==3.1.0 pandas==1.0.3 pycodestyle==2.5.0 pycparser==2.19 PyJWT==1.7.1 pylint==2.4.4 python-dateutil==2.8.1 pytz==2019.3 requests==2.22.0 requests-oauthlib==1.3.0 sentry-sdk==0.14.3 six==1.14.0 tenacity==6.1.0 typed-ast==1.4.1 urllib3==1.25.8 wrapt==1.11.2

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:11 (7 by maintainers)

Top GitHub Comments

1reaction

yogiladcommented, May 5, 2020

Update: I opened an issue with msrestazure () to see if and how the tokens can be cached by them. As discussed, I’ll provide an option to authenticate with a token provider, which will allow to workaround the issue.

0reactions

yogiladcommented, Jul 12, 2020

In version 1.0.0 we switched to azure.identity library which caches the tokens. This should resolve this issue.