Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Test all azure-identity credentials for injection of "tenant_id"

See original GitHub issue

March will be the GA of the new KeyVault SDK that uses the tenant_id kwarg of get_token. In all circumstances, KV will inject that kwarg.

Today, azure-identity is not ready for this change. For instance, it doesn’t work for ManagedIdentity :

>>> from azure.identity import ManagedIdentityCredential
>>> from azure.keyvault.secrets import SecretClient
>>> credential = ManagedIdentityCredential()
>>> client = SecretClient("[https://mcpatino-kv.vault.azure.net"](), credential)
>>> client.get_secret("rsa-key")
CloudShellCredential.get_token failed: request() got an unexpected keyword argument 'tenant_id'
ManagedIdentityCredential.get_token failed: request() got an unexpected keyword argument 'tenant_id'
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/tracing/decorator.py", line 83, in wrapper_use_tracer
return func(*args, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_client.py", line 73, in get_secret
**kwargs
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1525, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_generated/v7_3_preview/operations/_key_vault_client_operations.py", line 286, in get_secret
pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_redirect.py", line 158, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 128, in send
request_authorized = self.on_challenge(request, response)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 102, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 107, in authorize_request
self._token = self._credential.get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/decorators.py", line 30, in wrapper
token = fn(*args, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_credentials/managed_identity.py", line 119, in get_token
return self._credential.get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_base.py", line 52, in get_token
return super(ManagedIdentityBase, self).get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/get_token_mixin.py", line 76, in get_token
token = self._request_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_base.py", line 62, in _request_token
return cast(ManagedIdentityClient, self._client).request_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_client.py", line 123, in request_token
response = self._pipeline.run(request, retry_on_methods=[request.method], **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 1 more time]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 1 more time]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 103, in send
self._sender.send(request.http_request, **request.context.options),
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/transport/_requests_basic.py", line 337, in send
**kwargs)
TypeError: request() got an unexpected keyword argument 'tenant_id'

For March, we need unittests and live-tests that all credentials shipped part of the azure-identity packages support injection of tenant_id. If tenant_id is not a concept for that credentials implementation, it should be ignored (do NOT raise with something like ValueError("tenant_id is not a supported kwarg") since it would make this credential incompatible with KV at all time.)

cc @joshfree @schaabs

Issue Analytics

State:
Created 2 years ago
Comments:8 (8 by maintainers)

Top GitHub Comments

1reaction

sadasantcommented, Feb 22, 2022

~JavaScript has also been supporting this for a while 🙂~ I was mistaken!

1reaction

heathscommented, Feb 22, 2022

.NET has supported passing the tenant ID from the challenge for several months now without issue. To my knowledge, no other language has mentioned any problems but may not be getting as much coverage. Multi-tenant auth support shipped in Azure.Identity 1.5.0 for .NET.

What specifically is the concern here w.r.t. other lanugages?

Top Results From Across the Web

How to authenticate .NET applications with Azure services

How to acquire the necessary credential objects to authenticate a .NET application with Azure services by using the Azure .NET SDK.

Secure your Azure AD identity infrastructure - Microsoft Learn

Included in the user risk detection is a check whether the user's credentials match to credentials leaked by cybercriminals. To function ...

Authenticate connections with managed identities - Azure ...

Use a managed identity to authenticate workflow connections to Azure AD protected resources without credentials or secrets in Azure Logic ...

Managed identities - Azure App Service - Microsoft Learn

A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key ......

Azure Identity client library for .NET - Microsoft Learn

The Azure Identity library focuses on OAuth authentication with Azure AD, and it offers a variety of credential classes capable of acquiring an ......