Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

GraphRbacManagementClient thows signed_session error when trying to lookup service principals

See original GitHub issue

I am unable to lookup service principal names using a GraphRbacManagementClient. if I try to use AzureCliCredential(), I get an error: AttributeError: 'AzureCliCredential' object has no attribute 'signed_session'

If I try to use DefaultAzureCredential(), i get: AttributeError: 'DefaultAzureCredential' object has no attribute 'signed_session'

If I use the CredentialWrapper() workaround I found in closed issues, I get the error: GraphErrorException: Access Token missing or malformed.

I’m running the following packages and versions:

Package                                    version
adal                                             1.2.7
azure-common                               1.1.28
azure-core                                      1.24.0
azure-graphrbac                            0.61.1
azure-identity                                 1.10.0
azure-mgmt-authorization           2.0.0
azure-mgmt-consumption           9.0.0
azure-mgmt-core                         1.3.0
azure-mgmt-resource                  21.1.0
azure-mgmt-subscription           3.0.0
msal                                               1.17.0
msal-extensions                           1.0.0
msrest                                           0.6.21
msrestazure                                 0.6.4

Other closed issued like this have indicated I need to create a new issue to get this resolved. Thanks!

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

yndencommented, Aug 20, 2022

It seems that ‘azure-graphrbac’ is still incompatible with azure-identity (ref. https://github.com/Azure/azure-sdk-for-python/issues/9432#issuecomment-1127951202).

In other words, GraphRbacManagementClient can’t work yet with a credential created through azure-identity, hence the error: AttributeError: 'xxxCredential' object has no attribute 'signed_session'

As you mentioned, the workaround is to use a wrapper (ref. here) around a credential created with azure-identity. However it results in the following error when you execute it: GraphErrorException: Access Token missing or malformed.

To solve that problem you need to change the resource_id parameter from https://management.azure.com/.default to https://graph.windows.net/.default.

Full example

If you need to work with the azure-graphrbac library, follow the steps below:

Create a new file called auth_wrapper.py
Copy the content from here to auth_wrapper.py
Change the resource_id property as mentioned above

How to call it from your code?

creds = DefaultAzureCredential() # or any credential constructor from azure-identity library
wrap_creds = AzureIdentityCredentialAdapter(creds) # your newly created class from auth_wrapper.py
rbac_client = GraphRbacManagementClient(wrap_creds, "<tenant_id>")

0reactions

lmazuelcommented, Oct 18, 2022

azure-graphrbac is about Azure AD Graph API, which is now deprecated. We do not support SDK fixes to this product anymore. Please refer to this issue for additional way to get support to move to Microsoft Graph API: https://github.com/azure-deprecation/dashboard/issues/60

MS Graph is not an Azure product, so we can’t help you on this repo unfortunately, but I would suggest you look into the “microsoftgraph” org on Github, starting here: https://github.com/microsoftgraph/msgraph-sdk-python-core

Note that the MSGraph SDK does support azure-identity