Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

There is a problem with token generation via "ClientSecretCredential".

See original GitHub issue

I am trying to authenticate using the service principal method. In the past, you could access resources using the “ClientSecretCredential” method. However, currently the token generated with “ClientSecretCredential” doesn’t seem to have permission to access the resource.

Access tokens obtained via interactive authentication with “InteractiveBrowserCredential” work without any issues. On the other hand, there seems to be a problem with tokens generated via the app’s client secret.

When I try to get subscription information, it returns an empty value like this: { “value”: [], “count”: { “type”: “Total”, “value”: 0 } }

Here is my code:

from azure.mgmt.resource.subscriptions import SubscriptionClient
from azure.identity import ClientSecretCredential
from azure.mgmt.keyvault import KeyVaultManagementClient

def main():
    credentials = ClientSecretCredential(
           tenant_id = tenant_id,
           client_id = client_id,
           client_secret = client_secret
           )

    # List subscriptions
    page_result = subscription_client.subscriptions.list()
    result = [item for item in page_result]
    for item in result:
        print(item.subscription_id)
        print(item.tags)

    keyvault_client = KeyVaultManagementClient(credentials, subscription_id)
    for vault in keyvault_client.vaults.list_by_subscription():
         print (vault)

if __name__ == "__main__":
    main()

When I try to get keyvault information, I get the following error:

azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client '***' with object id '***' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/***' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '***' with object id '***' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/***' or the scope is invalid. If access was recently granted, please refresh your credentials.

Am I missing something?

Until recently I was able to access all information without problems using “ClientSecretCredential”. Is there a way to get a user auth token non-interactively without opening a browser? (“UsernamePasswordCredential” exists, but cannot be used if MFA is enabled for your account.)

I need help.

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

DohyeonEomcommented, Jan 6, 2022

@mccoyp Subscription->Access control (IAM)->Role assignments It was done by granting permission to the subject. It helped a lot. thank you

0reactions

mccoypcommented, Mar 19, 2022

Hi @anotherancientalien, you should require the Microsoft.KeyVault/vaults/read permission over your subscription. Below is a screenshot showing the permission as it appears in the “Access Control (IAM)” window of the subscription page.