Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
auth failure with az CLI token
See original GitHub issue- Package Name: azure.identity, azure.mgmt.subscription
- Package Version: azure-identity==1.7.1, azure-mgmt-subscription==3.0.0
- Operating System: macOS
- Python Version: 3.7.7
Describe the bug
I would like to list all Azure subscriptions:
from azure.identity import DefaultAzureCredential
from azure.mgmt.subscription import SubscriptionClient
if __name__ == "__main__":
cred = DefaultAzureCredential(exclude_visual_studio_code_credential=True)
sub_client = SubscriptionClient(cred)
print(list(sub_client.subscriptions.list()))
Before running this code I’ve logged into azure CLI via:
az login
I’m running into the following exception:
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-06-24T11:46:15.0209113Z and was inactive for 90.00:00:00.
Trace ID: 1eb1bf61-9e2c-424a-be16-f287ee201300
Correlation ID: 73cc69da-0208-46c2-bcf1-fa726c82f8b3
Timestamp: 2022-01-28 12:15:44Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Traceback (most recent call last):
File "/Users/ivan.trusov/Library/Application Support/JetBrains/IntelliJIdea2021.3/scratches/az_cli_auth.py", line 7, in <module>
print(list(sub_client.subscriptions.list()))
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/paging.py", line 129, in __next__
return next(self._page_iterator)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/paging.py", line 76, in __next__
self._response = self._get_next(self.continuation_token)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/mgmt/subscription/operations/_subscriptions_operations.py", line 299, in get_next
pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/mgmt/core/policies/_base.py", line 47, in send
response = self.next.send(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/policies/_redirect.py", line 158, in send
response = self.next.send(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
response = self.next.send(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 117, in send
self.on_request(request)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 94, in on_request
self._token = self._credential.get_token(*self._scopes)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/identity/_credentials/default.py", line 172, in get_token
return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)
File "/Users/ivan.trusov/opt/anaconda3/envs/dbx/lib/python3.7/site-packages/azure/identity/_credentials/chained.py", line 108, in get_token
raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2021-06-24T11:46:15.0209113Z and was inactive for 90.00:00:00.
Trace ID: 1eb1bf61-9e2c-424a-be16-f287ee201300
Correlation ID: 73cc69da-0208-46c2-bcf1-fa726c82f8b3
Timestamp: 2022-01-28 12:15:44Z'
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
To Reproduce As described above
Expected behavior Auth and then subscription listing.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Mysterious Authentication failure of Az Login - TechNet Articles
It appears that the IP Address changed between calling /authorize endpoint and /token endpoint.
Read more >Error: building client: unable to obtain access token: running ...
Error : building client: unable to obtain access token: running Azure CLI: exit status 1: ERROR: AADSTS50158: External security challenge not satisfied.
Read more >Filter blob by tags using SAS-token in azure CLI fails with ...
“Authentication failure. This may be caused by either invalid account key, connection string or sas token value provided for your storage ...
Read more >Using the Azure Devops CLI in a Deployment Pipeline (Can't ...
In order to use the CLI I need first login (authenticate). ... value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System....
Read more >Using Azure CLI Authentication within Local Containers - Endjin
This means when you use the volume mount 'trick', your app running in a Linux container can no longer read your access token,...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@renardeinside Thanks for reaching out.
From the error log, there is a shared token cache found but the token expired.
In this case, instead of silently swallowing the error, DefaultAzureCredential raises it to you.
If you are sure you don’t want to use the cached token, you can create DefaultAzureCredential with exclude_shared_token_cache_credential=True.
So in your case, you can have code like:
Please let us know if it does not work.
Hi @renardeinside, since you haven’t asked that we “
/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.