Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SharedTokenCacheCredential authentication fails in Azure.Identity on ubuntu

See original GitHub issue

We have written an internal command line tool that allows us to read secrets from Azure Keyvault. This tool consumes Azure.Identity, Azure.Security.KeyVault.*, and Azure.ResourceManager.Resources

We run this tool both on our dev machines and in the Azure DevOps release pipeline. However, today we have updated Azure.Identity from 1.2.2 to 1.3.0. While the tool still runs without any issue on my Windows machine, it fails on the build agent in the release pipeline (ubuntu-18.04):

ERROR: Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
    Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() 
      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence() 
      at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.MsalPublicClient.GetAccountsAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.SharedTokenCacheCredential.GetAccountAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) 
  at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) 
  at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(HttpMessage message, Boolean async, CancellationToken cancellationToken) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, Boolean async) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.ResourceManager.Resources.ResourceGroupsRestOperations.GetAsync(String resourceGroupName, CancellationToken cancellationToken) 
  at Azure.ResourceManager.Resources.ResourceGroupsOperations.GetAsync(String resourceGroupName, CancellationToken cancellationToken)

I don’t know if this is caused by Azure.Identity itself or by the MSAL token cache extension you’re using.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:10 (5 by maintainers)

github_iconTop GitHub Comments

7reactions
schaabscommented, Nov 18, 2020

@thoemmi Thank you for filing this issue, I’m sorry you’re running into this problem. I’ll investigate the root cause of this regression and hopefully release a patch for it soon. In the meantime you should be able to work around this by excluding the SharedTokenCacheCredential from the DefaultAzureCredential.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true });

This should work around the issue your experiencing in your CI and should not impact your authentication in your developement environment as the VisualStudioCredential will provide authentication in lieu of the SharedTokenCacheCredential. As a matter of fact we’re also planning on disabling the SharedTokenCacheCredential by default in our next release. More info on this can be found in this issue https://github.com/Azure/azure-sdk/issues/1970, and PR https://github.com/Azure/azure-sdk-for-net/pull/16615. Please let me know if you have further questions or have trouble getting the work around working.

0reactions
dgerdingcommented, Apr 8, 2022
Read more comments on GitHub >

github_iconTop Results From Across the Web

Containerizing .net core mvc fails with missing libsecret-1. ...
AuthenticationFailedException ' occurred in Azure.Security.KeyVault.Secrets.dll: 'SharedTokenCacheCredential authentication failed: Persistence ...
Read more >
Azure ChainedTokenCredential Fails after Password Change
It appears you have a cached refresh token issued before the password change which SharedTokenCacheCredential is attempting to use. It should ...
Read more >
DefaultAzureCredential failed to retrieve a token from the ...
Resolution to "[CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials." in Visual ...
Read more >
azure-identity
Authenticates the managed identity of an Azure resource. Supports Azure AD workload identity on Kubernetes.
Read more >
Azure AD authentication comes to Ubuntu Desktop 23.04
Ubuntu Desktop 23.04 is the first and only Linux distribution to enable native user authentication with Azure Active Directory (Azure AD).
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[BUG] DefaultAzureCredential failed to retrieve a token from the included credentials

Next page

[BUG] [Microsoft.Azure.ServiceBus] Closing MessageReceiver Does not Always Close inner ReceivingAmqpLink