Is it possible to use my developer credentials as Managed Identity locally in Visual Studio Code?

[silvermoong]

I have an Azure Function App which uses its Managed Identity to access Key Vault. It works on Azure.

When developing locally, is it possible to use my developer credentials as the Managed Identity in Visual Studio Code?

I know for C# and Visual Studio, there is an option: Azure Service Authentication -> Account Selection.
https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#authenticating-to-azure-services

Sample code and exception:

credentials = DefaultAzureCredential()
key_vault_uri = "https://yihongkv.vault.azure.net/"
secret_client = SecretClient(
key_vault_uri, # Your KeyVault URL
credentials
)
secret = secret_client.get_secret("key2")

---

azure.core.exceptions.ClientAuthenticationError: No valid token received. EnvironmentCredential: Incomplete environment configuration.. ImdsCredential: IMDS endpoint unavailable. SharedTokenCacheCredential: No cached
token found for '[email protected]'

[lmazuel]

@schaabs @chlowell

[jongio]

@silvermoong

DefaultAzureCredential is a ChainedTokenCredential that first looks for an EnvironmentCredential via env var settings, then Managed Identity, then SharedTokenCacheCredential (which only supports vs2019 sign-in today).

See the docs here: https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python

And let me know if you have any issues.

[carlosotgz]

@jongio hi, I would just like to mention that I'm facing the same issue. Although it's possible to create a Service Principal and set its details as environment variables to let the DefaultAzureCredential method see them, it introduces the inconvenience of having to create these Service Principals just for this, and having to deal with the corresponding secrets/certificates carefully. It would be really convenient to just authenticate using az, and then make DefaultAzureCredential leverage this (I know you could "steal" tokens using the az command, but at least there is only one thing to worry about :) )

As the OP mentioned, this seems to be a feature already present in C# SDK and Visual Studio, but not in Python SDK and VS Code.

This seems to be a duplicate of issue #8566 and seemed to be about to be released but don't know what happened :(

[jongio]

If all goes well this week, we'll have a preview out soon. I"ll flag this thread to post more info when we have it.

[jongio]

A preview of DefaultAzureCredential with Az Cli credential support was released yesterday: https://pypi.org/project/azure-identity/1.4.0b1/

Please try it out and provide feedback. Thanks, Jon

[davidobrien1985]

Does this work with from azure.mgmt.storage import StorageManagementClient?
Doesn't seem like the storage library likes these sorts of credentials.

Any ideas to get this working? It's quite a lot of overhead to push my function to Azure for every small change that I want to test.

[jongio]

@davidobrien1985 - Azure.Identity support is coming to Management Plane soon. In the meantime, I created an adapter for DefaultAzureCredential called DefaultAzureMgmtCredential, which you can find here: https://github.com/jongio/azidext Please give it a try and let me know if you run into any issues.

[davidobrien1985]

@jongio thanks (pinged you on Teams as well)

@anthonychu actually helped me with this and I got it working following his example here: https://github.com/anthonychu/python-azure-resources-msi/blob/master/ListResourceGroups/__init__.py

[kevroes]

@jongio I've tried the preview of DefaultAzureCredential with Az Cli credential support, but DefaultAzureCredential doesn't seem to recognize my login, I'm currently logged in into the azure subscription as a contributor (the object storage service is within the same subscription). Here is the codesnippet I use:

import os
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

account_name = os.getenv('AZURE_STORAGE_ACCOUNT_NAME')
container_name = os.getenv('AZURE_CONTAINER_NAME')

my_storage_account_url = "https://{}.blob.core.windows.net/".format(account_name)

credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(account_url=my_storage_account_url,
        credential=credential)
blob_name = "myfile.jpg"
file_stream = open("myfile.jpg", "rb")
blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
blob_client.upload_blob(file_stream)

Here is the error I get:

azure.core.exceptions.ClientAuthenticationError:
No credential in this chain provided a token.
Attempted credentials:
        EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables
        ManagedIdentityCredential: IMDS endpoint unavailable
        SharedTokenCacheCredential: The shared cache contains no signed-in accounts. To authenticate with SharedTokenCacheCredential, login
through developer tooling supporting Azure single sign on

Before running the code, i've logged in with az login successfully.
I use python 3.7.6 64-bit
SDK's:
Name: azure-identity
Version: 1.4.0b1
Name: azure-storage-blob
Version: 12.3.0

Thanks a lot!

[chlowell]

Hi @kevroes, thanks for the bug report. I've opened a new issue to track it and will fix it for the next release.

[chlowell]

In azure-identity 1.4.0b3, released today, DefaultAzureCredential can authenticate as the user signed in to Visual Studio Code (note that Python 2.7 on Linux isn't yet supported). No configuration is required, simply sign in to Visual Studio Code's Azure Account extension and use DefaultAzureCredential in your application. Please open an issue if you encounter any problems using it.

[tricosmo]

Hi @chlowell

I logged into VS Code via Azure Account plugin. No configuration/env var. this simple code below

az_cred = DefaultAzureCredential()
scope = "https://victor.appserviceenvironment.net/.default"
token = az_cred.get_token(scope)

But I got this weird error, it looks like my user name didn't pick up correctly, instead some Visual Studio Code.

VisualStudioCodeCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS65001: The user or administrator has not consented to use the application with ID 'aebc6443-996d-45c2-90f0-388ff96faa56' named 'Visual Studio Code'. Send an interactive authorization request for this user and resource.
Trace ID: 7c62b40f-2ffb-4f2a-99e1-8408b4d7f401
Correlation ID: f52fbb31-4173-4b97-9c3d-81e9244397f9
Timestamp: 2021-12-06 22:48:32Z'
DefaultAzureCredential.get_token failed: VisualStudioCodeCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS65001: The user or administrator has not consented to use the application with ID 'aebc6443-996d-45c2-90f0-388ff96faa56' named 'Visual Studio Code'. Send an interactive authorization request for this user and resource.

I found in my VS code setting, there are two new lines.

    "azure.tenant": "c9da0d0e-f235-4e9a-b399-81e9244397a8",
    "azure.cloud": "AzureCloud"

I spent a lot of time, try to get above work but no luck. any help, thanks.

Victor