question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086'

See original GitHub issue
  • Azure Identity:
  • 1.10 and 1.11:
  • Linux:
  • 3.8:

Describe the bug We currently have an azure function app behind and API. This function interacts several third party services, Cosmo, Sales Force to name a through. The functions will run

credential = DefaultAzureCredential(exclude_visual_studio_code_credential = True, exclude_shared_token_cache_credential=True) client = SecretClient(vault_url=f"https://{enviroment}apiapp.vault.azure.net/", credential=credential, logging_enable=True)

After 24 hours we start seeing the error: “FailureException: ClientAuthenticationError: (Unauthorized) [TokenExpired] Error validating token: ‘S2S12086’.Code: UnauthorizedMessage: [TokenExpired] Error validating token: ‘S2S12086’”

If we restart the function app or wait about 15 minute it starts working again.

To Reproduce Steps to reproduce the behavior:

  1. Deploy function app that uses DefaultAzureCredential to access KeyVault.
  2. Run function every minute for 24 hours.
  3. After 24 hours you should start to receive this message.

Expected behavior I would expect the credential to not expire, or issue a new credential if it expires without a user seeing an error.

Additional context This was working through April. We did a deploy in May after 1.10 came out and we started having the problem. Did lots of trouble shooting and trying different settings. Eventually found a similar problem on the sdk for js. https://github.com/Azure/azure-sdk-for-js/issues/22722 that got us looking at release dates of version for the Python package that line up.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:16 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
KEMBLcommented, Dec 2, 2022

After 24 hours you should start to receive this message.

I had the same problem, fix was not to cache client = new SecretClient(... (at least do not cache it forever, refresh once a hour or so). I started re-creating of new ManagedIdentityCredential() and making of a new SecretClient from it and problem has gone for now.

Cant say it for sure, but it seems like one of the objects above makes a token which gets stale after some time.

I believe the similar problem is in issue #27266

I use @azure/identity 3.1.1 Package Name: @azure/identity Package Version: ^3.1.1 Operating system: Linux Nodejs version: 16.14.12

1reaction
nathan-copperfrogcommented, Nov 17, 2022

@mccoyp Thank you for getting back.

We currently don’t have the azure-keyvault-secrets version locked so the most recent deploy is using 4.6.0.

Some added information, as an experiment last week we locked azure identity to version 1.9.0 and since then we have not had the authentication problem. Its only been three days since we stopped restarting the Azure function automatically every 12 hours, but we would normally see the problem at the 24 hour mark.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Managed Identity - DefaultAzureCredential - GitHub
RestError : [TokenExpired] Error validating token: 'S2S12086'. We're using DefaultAzureCredential , which in our case instantiate a ...
Read more >
Azure Key Vault REST API Error Codes - Microsoft Learn
No authentication token attached to the request. Here is an example PUT request, setting the value of a secret: Copy.
Read more >
Issues · Azure/azure-sdk-for-js · GitHub
Managed Identity - DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086' Azure.Identity bug This issue requires a change to ...
Read more >
node.js - "refresh token has expired" with VSCode Azure ...
I tried to call it specifically as well, but it gives me the same error. DefaultAzureCredential is supposed to fall back to it,...
Read more >
azure-sdk-for-python - bytemeta
DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086'. brupelo. brupelo OPEN · Updated 2 days ago ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found