DefaultAzureCredential fails when multiple accounts are available and defaulting to SharedTokenCacheCredential #8658
Comments
triage-new-issues
bot
added
the
needs-triage
|
cc @schaabs |
pakrym
added
Azure.Identity
Client
triage-new-issues
bot
removed
the
needs-triage
|
@twsouthwick Thanks for reporting this issue. It seems that the error message you're getting here is a pretty confusing. The So I believe in this case As to your second point. We are working to get parity with |
|
That makes sense. Let me know if there's any debugging I can do on my side |
|
Can you enable Break on all exceptions (https://docs.microsoft.com/en-us/visualstudio/debugger/managing-exceptions-with-the-debugger?view=vs-2019) are copy the exception details for the exception that gets thrown in |
|
Ok, when I do this, I get the following: This occurs a number of times it seems. I had to click "don't break on this" to be able to get through it. |
|
Our team is also suffering from what I think is this problem, although a somewhat different call stack. |
|
Had exactly the same issue as well when I logged into VS with 2 accounts (though I selected only 1 account for Azure default credentials). Please fix it! |
|
@tuanle07 Please make sure that the only remaining account has not been invited in another tenant(s). If this is the case, in the VS Account UI, untick all tenants except the one that you're interested in. |
Where do you see the list of tenants in the VS Account Settings UI? I can only see a list of logged in accounts and ability to remove them. 🤔 |
|
In the account window, click on the
If you don't have this option, your account may not be invited in other tenants, and as such, my solution does not apply to your case... |
I’m using VS Professional version so not sure if that matters but I don’t see the |
|
Also getting the error while having multiple accounts in VS: |
I am getting the same error. Tried clearing the '%LOCALAPPDATA%/.IdentityService' cache and logged back into VS with just one account. Below is what I see
Happy to provide any other details |
|
Update to my issue above I created new user in Azure AD and used that to log in. This user is separate from that I used to create/login to the Azure Subscription. It works fine with the new user. FWIW, I have written out the different options I used to get DefaultAzureCredential work on my local machine here |
|
I solved this problem by just setting the environment variable named "AZURE_USERNAME" = [your azure account email id] that you want to use for the authentication in development mode. How to Setup Environment Variable? for (Window 10) |
|
I'm running in Visual Studio Code and am just authenticated via the command line using Please fix! This unnecessarily complicates the local development environment. |
|
Hi @MikePennington , When client is authenticated using Azure CLI, its account is extracted using Azure CLI Do you have an issue that |
|
@AlexanderSher, |
|
@MikePennington what version of Azure.Identity are you currently using? Support for authentication through the Azure CLI was only recently added in 1.2.0-preview.1 and we have yet to GA this feature. Based off the error message you shared it seems that you're using an older version which doesn't have this support. |
|
@schaabs, thanks for the info, I was using the latest non-preview release, 1.1.1. I tried the 1.2.0-preview.2, and it failed with the following error: So then I reverted to 1.2.0-preview.1, and it worked! So it seems like something seems to have gone sideways between 1.2.0-preview.1 and 1.2.0-preview.2. |
|
@MikePennington , can you please add a call stack from the bug that you have on |
|
|
Thanks @MikePennington, #11575 |
|
Thanks, using Azure.Identity 1.2.0-preview.1, and it worked |
|
I was experiencing the same issues. Moved to Azure.Identity 1.2.0-preview.3 and everything works fine debugging from Visual Studio with multiple accounts and an account selected in Azure Service Authentication |
|
I am experiencing authentication issues with multiple accounts even when using 1.2.0-preview.3 I have two different accounts added to Visual Studio, but the same account is always used regardless of which account is selected in Azure Service Authentication or defined in AZURE_USERNAME. Logging out all accounts and only adding the desired account resolves the problem. The problematic account is also the account that is logged into windows so it seems like it prioritize that first. |
|
Experience similar issues authenticating to azure app configuration using "MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS70002: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908." I've tried both the latest stable and preview versions of Azure.Identity. I'm authenticated via both visual studio and az cli, only authenticated to a single azure subscription. My user has data reader access to azure app configuration and also access to the keyvault connected. Same code works if I replace |
|
@alhardy, can you please post a full call stack? |
|
I'm having exactly the same issue as alhardy. Not sure what is going wrong. |
|
Thank @MarkAtAgilliance for mentioning the AZURE_USERNAME. Resolved my issue by checking that variable. I had tried to resolve my issue previously by setting my username through the AZURE_USERNAME variable. However, in my haste, I had written my email with a different domain than the subscriptions i was targeting. Updating the username to correct domain, or removing the environment entirely, resolved my issue. |
@Rolorob : Were you able to resolve this issue? I am seeing similar stack trace and unable to proceed forward. Thanks. |
Hi @spmanjunath , I was unable to resolve this. I worked around this issue by using a different way to connect to the Key Vault: https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1 This worked instantly, you will need list permissions on secrets obviously, and it will retrieve ALL secrets and not only the ones requested. But at least it was working as expected... |
|
Tried If |
|
In my case, my |
|
assume you mean AZURE_USERNAME not AZURE_NAME. |
|
There are several issues that are currently being tracked in here. In order to allow us to make progress, we are closing this issue as we believe the original issue has been addressed. Anyone who has replied with related issue they feel still hasn't been addressed, please open a new issue so we can address it specifically. |
|
Hi all, |
I was facing the same issue when using "Azure.Identity" Version="1.2.3". Downgrading the version to "Azure.Identity" Version="1.2.0" solves the problem for me. Thanks!! |
|
With inspiration from @xperiandri... what solved the issue for me was to configure AZURE_USERNAME and AZURE_TENANT_ID in VS2019 enterprise. Above there has been some discussions which version to use of the Azure.Identity library. For me this is working with version 1.3.0 (Latest stable version at the time of writing) I didn't have to configure the DefaultAzureCredentialOptions - I just used the default constructor - DefaultAzureCredential() My method that caused all the trouble - but now working well both locally and being deployed to azure: |
This worked for me. |
|
I faced problems with I was able to over come this problem with a different type of Credential: String keyVaultUri = "https://<YOUR_KEY_VAULT>.vault.azure.net/";
TokenCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientSecret("<YOUR_CLIENT_SECRET>")
.clientId("<YOUR_CLIENT_ID>")
.tenantId("<YOUR_TENANT_ID>")
.build();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(clientSecretCredential)
.buildClient();
...
// do what you wantpom.xml <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-security-keyvault-secrets</artifactId>
<version>4.2.7</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.2.5</version>
</dependency> |
and others
Describe the bug
I am using v1.0 of
Azure.Identityon both .NET Framework and .NET Core and am attempting to connect to a blob container viaDefaultAzureCredential:I am logged into Visual Studio with two accounts. When I run this, I get the following:
At this, point, I attempt to set
AZURE_USERNAME. This fails with the following:It appears that when multiple accounts are available, SharedTokenCacheCredential expected
AZURE_USERNAMEto disambiguate. However, sinceEnvironmentCredentialruns first, it reports an error.How can I use
DefaultCredentialwhen using multiple accounts in VS? I would expectedTools->Options->Azure Service Authentication->Account Selectionin VS would be honored but it does not seem to be (which works withMicrosoft.Azure.Services.AppAuthentication.The text was updated successfully, but these errors were encountered: