Answer a question

Azure ChainedTokenCredential fails for local development after password change. I've been using ChainedTokenCredential for several weeks to authenticate using ManagedIdentityCredential in Azure and DefaultAzureCredential for local testing of my Function App. Everything was working as exected. Here is a code example that was working and still works in Azure but not locally.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    default_credential = DefaultAzureCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, default_credential)

    storageurl = os.environ["STORAGE_ACCOUNT"]

    client = BlobServiceClient(storageurl, credential=credential_chain)
    return client

Last week I had to change my password and since then I get the following error.

[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID: 
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'

Things I've tried to resolve the issue:

  1. Signing in and out of VSCode Azure Extension
  2. Signing in and out of az cli
  3. az account clear
  4. Clearing browser cache.
  5. Restarting PC and VSCode.
  6. Clearing VSCode Cache
    • C:\Users\<user>\AppData\Roaming\Code\Cache
    • C:\Users\<user>\AppData\Roaming\Code\CacheData

I am using the Azure Extension 'Attach to Python Functions' to run the debugger. I am uncertain of how DefaultAzureCredential is obtaining my credentials. I believe it is stored locally because I get the same error when running the debugger while not signed into the Azure extension. I thought DefaultAzureCredential would use my Azure Extension sign in as me to authenticate but I am uncertain.

Any help would be appreciated!

Answers

The issue was resolve by using @Charles Lowell's solution. I was having trouble finding the file due to using fzf.exe (fuzzy finding tool) and it does not look in hidden folders by default. Removing C:\Users\<user>\AppData\Local\.IdentityService\msal.cache worked.

An alternative I found was using VisualStudioCodeCredential() instead of DefaultAzureCredential(). This uses the vscode extension to authenticate. I prefer this method but not all developers use VSCode. I'm glad to get DefaultAzureCredential working.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    vscode_credential = VisualStudioCodeCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)

More information on DefaultAzureCredential() can be found here.

Thanks to all!

# python # azure
Logo
开发云

开发云社区提供前沿行业资讯和优质的学习知识,同时提供优质稳定、价格优惠的云主机、数据库、网络、云储存等云服务产品

更多推荐

负载均衡/路由一个使用socketio和flask制作的应用

问题:负载均衡/路由一个使用socketio和flask制作的应用 在部署 Web 应用程序方面,我有点菜鸟,我想确保我正在构建的一个小应用程序能够与我正在尝试使用的技术一起使用。 我对烧瓶有一些经验,但只使用过测试服务器。我的理解是,使用 nginx 或 apache,如果我编写一个烧瓶应用程序,每个访问我的网站的用户都可以获得一个烧瓶应用程序的不同实例,具体如何工作让我有点困惑。 我想做的应用

avatar 开发云

Nginx 重写规则没有按预期工作

问题:Nginx 重写规则没有按预期工作 我有一个网站https://dev.mywebsite.com/index.php?album=portraits,它根据 POST 值动态显示相册。 我想将此 URL 重写为:https://dev.mywebsite.com/portraits 但是我的 Nginx 重写规则不起作用。当我输入https://dev.mywebsite.com/inde

avatar 开发云

MySQL远程时缓存如何工作?

问题:MySQL远程时缓存如何工作? 我一直在使用 PHP 5.6 进行旧电子商务应用程序的服务器迁移。 切换涉及来自 Linode 的两台 Dedicated 32 服务器。 一台服务器用于 NginX + PHP,另一台仅用于 MySQL。 遗留应用程序利用 memcached。 切换后,我可以看到由于私有入站和出站连接导致的大量内部流量。 到目前为止,这个元素没有对性能造成任何问题。 但是,

avatar 开发云