DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086'
See original GitHub issue- Azure Identity:
- 1.10 and 1.11:
- Linux:
- 3.8:
Describe the bug We currently have an azure function app behind and API. This function interacts several third party services, Cosmo, Sales Force to name a through. The functions will run
credential = DefaultAzureCredential(exclude_visual_studio_code_credential = True, exclude_shared_token_cache_credential=True) client = SecretClient(vault_url=f"https://{enviroment}apiapp.vault.azure.net/", credential=credential, logging_enable=True)
After 24 hours we start seeing the error: “FailureException: ClientAuthenticationError: (Unauthorized) [TokenExpired] Error validating token: ‘S2S12086’.Code: UnauthorizedMessage: [TokenExpired] Error validating token: ‘S2S12086’”
If we restart the function app or wait about 15 minute it starts working again.
To Reproduce Steps to reproduce the behavior:
- Deploy function app that uses DefaultAzureCredential to access KeyVault.
- Run function every minute for 24 hours.
- After 24 hours you should start to receive this message.
Expected behavior I would expect the credential to not expire, or issue a new credential if it expires without a user seeing an error.
Additional context This was working through April. We did a deploy in May after 1.10 came out and we started having the problem. Did lots of trouble shooting and trying different settings. Eventually found a similar problem on the sdk for js. https://github.com/Azure/azure-sdk-for-js/issues/22722 that got us looking at release dates of version for the Python package that line up.
Issue Analytics
- State:
- Created a year ago
- Comments:16 (9 by maintainers)
Top GitHub Comments
I had the same problem, fix was not to cache
client = new SecretClient(...
(at least do not cache it forever, refresh once a hour or so). I started re-creating ofnew ManagedIdentityCredential()
and making of a newSecretClient
from it and problem has gone for now.Cant say it for sure, but it seems like one of the objects above makes a token which gets stale after some time.
I believe the similar problem is in issue #27266
I use @azure/identity 3.1.1 Package Name: @azure/identity Package Version: ^3.1.1 Operating system: Linux Nodejs version: 16.14.12
@mccoyp Thank you for getting back.
We currently don’t have the azure-keyvault-secrets version locked so the most recent deploy is using 4.6.0.
Some added information, as an experiment last week we locked azure identity to version 1.9.0 and since then we have not had the authentication problem. Its only been three days since we stopped restarting the Azure function automatically every 12 hours, but we would normally see the problem at the 24 hour mark.