Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unable to authenticate to Azure GraphRBAC using DefaultAzureCredential OR CredentialWrapper
See original GitHub issue- Package Name: azure-graphrbac
- Package Version: 0.61.1
- Operating System: Mac OS 10.14.6
- Python Version: Python 3.7.6
Describe the bug
We are unable to use the DefaultAzureCredential OR the CredentialWrapper class (cred_wrapper.py) to authenticate the graphrbac client to create an App, Service Principal, and secret key.
NOTE: I am able to get the API to work if i use UserPassCredentials instead.
To Reproduce Steps to reproduce the behavior:
- Log into azure using the
azure clilocally. - Run
python, importazure-graphrbac, and then useDefaultAzureCredentialor the CredentialWrapper class (cred_wrapper.py) to create acredentialobject with the currently-logged-in-user credentials. - These credentials are valid to do other azure operations (for example creating a Blob storage container), but when used with
graphrbacto create an App, it prints the following error:
azure.graphrbac.models.graph_error_py3.GraphErrorException: Access Token missing or malformed.
Expected behavior
I expect the DefaultAzureCredential or the CredentialWrapper class (cred_wrapper.py) to return credentials that are valid for graphrbac.
Additional context In addition, this entire Python API is (admittedly newly) legacy and is being deprecated in favor of the Microsoft Graph API here https://docs.microsoft.com/en-us/graph/api/application-post-applications . However there does not seem to be a Python API client that allows us to use this new API yet…
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks @lmazeul for the response! Within the time we posted and the time of the response, there were many things we managed to figure out on our own (the resource_id, role definition PUT, etc…). However we believe there are still some key features missing from the Azure Python API that would have been very beneficial to our development process - specifically the following,
A python client that can generate a client secret - Instead of going directly to a HTTP request)
A python client for adding api permissions - Instead of going directly to a HTTP request)
A python client to create an sp/app using the modern API - We were only able to create it using GraphRbacManagementClient which uses the legacy API
Getting the tenant id of a logged in user (We currently shell out to
az account showin python and parse the response)Thanks for the clarification @srusun !
Microsoft Graph SDK is under development, I don’t have timeline yet (it’s actually not our team, since it’s not Azure specific). The best repo is indeed so far https://github.com/microsoftgraph/msgraph-sdk-python-core
For #15971 , I realized I misguided you, I was thinking you need that in azure-graphrbac, but you need that from the Microsoft Graph and we dont’ have it here. You might want to create your issue https://github.com/microsoftgraph/msgraph-sdk-python-core instead.
I’m keeping this issue opened as a placeholder of the question: should we re-release a version of azure-graphrbac that supports azure-identity, knowing that the endpoint is about to be deprecated finally and Microsoft Graph SDK is coming.
https://developer.microsoft.com/en-us/office/blogs/microsoft-graph-or-azure-ad-graph/