azure.identity can't be used for mgmt clients

[bmc-msft]

azure.identity.DefaultAzureCredential is an extremely useful helper, unfortunately this does not work for azure-mgmt components. It would be beneficial to have this mechanism unified.

[lmazuel]

Hi @bmc-msft
This is work in progress already, we'll release a new version of each mgmt package with identity support. I keep this issue assigned to me until then.
Thanks!

[lmazuel]

Hi @bmc-msft
This is getting closer we're still working, in the meantime I did a gist to explain how to do it:
https://gist.github.com/lmazuel/cc683d82ea1d7b40208de7c9fc8de59d

[lmazuel]

Hi @bmc-msft we improved that gist with an actual repo with more details:
https://github.com/jongio/azidext

[bmc-msft]

I appreciate the continued feedback as you make progress on this.

[dannyromans]

Hello @lmazuel I'm linking this here https://stackoverflow.com/questions/61944440/accessing-azure-storage-via-certificate-based-service-principal-credentials-azu
Thank you, will be pending.

[r3mattia]

Any updates on this?

[anthonychu]

I think this works now with azure-mgmt-resource v15 https://pypi.org/project/azure-mgmt-resource/

[SeaDude]

Does anyone know if Python azure.mgmt.datafactory's DataFactoryManagementClient() is cutover to use DefaultAzureCredential() yet? I'm not sure where to see a list of libraries that are compatible.

When I try...:

credential = DefaultAzureCredential()
adf_client = DataFactoryManagementClient(credential, subscription_id)
rg_name = 'RG_ADF_SANDBOX1'
df_name = 'df20201019test'
df_resource = Factory(location='westus')
df = adf_client.factories.create_or_update(rg_name, df_name, df_resource)

I'm getting...:
AttributeError: 'DefaultAzureCredential' object has no attribute 'signed_session'

I love using DefaultAzureCredential for Function development (KeyVault clients, BlobStorage clients, etc.). Would really like to stick with the pattern for Azure Data Factory Python dev as well.

[SeaDude]

Disregard. This was answered elsewhere. I AM curious if there is a timeline for this library to begin using DefaultAzureCredential. This year, next year, 2050?

[castaway2000]

As someone who has stuggled with adopting Azure most of my career as a result of stuff like this I am majorly disappointed in such a breaking change. But for what its worth and in the spirit of open source here is my insights.

This is still prevalent in AzureCliCredential as well. The below modules are all effected by this. Additionally the base module aio is missing aiohttp python package. These were libs were installed from latest as of today.

from azure.identity.aio import DefaultAzureCredential, AzureCliCredential
from azure.mgmt import resource, compute, network, subscription

[castaway2000]

I think this works now with azure-mgmt-resource v15 https://pypi.org/project/azure-mgmt-resource/

it does not. latest libs are still broken.

[bmc-msft]

Is there any progress on this and/or can the wrapper that @lmazuel discussed get released as a supported package?

I continue to stumble across packages that require older identity models and do not support azure.identity. The most recent is ApplicationInsightsDataClient.

There are multiple issues opened that are related to this underlying issue. It would be great to understand how this should be handled, as cut & paste of a work-around from a Microsoft employee's personal github project isn't a great path forwards. Refs: #15330, #14635, #14499, #13891, #11663, #10274, #9756.

[lmazuel]

@castaway2000 azure-identity is an effort to make all packages follow the same centralized authentication system. You will be able to log azure-storage-blob, to azure-mgmt-storage to everything with one single authentication in place. Also, we centralized the set of guidelines for all Azure (if you're curious: https://azure.github.io/azure-sdk/python_introduction.html).

This comes with a set of breaking changes indeed, and that felt to us as necessary evil to reach the level of consistency we were aiming. All this with the will and promise that it should now last for a long time.

I do confirm azure-mgmt-resource work with azure-identity starting v15, any problems with it won't fall into the root cause of this issue, please create another issue with this specific problem if you can't make it work.

We did decided to not install aiohttp by default on people's machine, since most customers didn't move to async programming yet, and we were concerned to over-install useless dependencies. It's not perfect, but solution like having a azure-mgmt-resource-aio package (where we could add the dependency) felt like an unnecessary doubling of packaging on PyPI.

It's fair to ask for the agenda of migration of mgmt packages to the new system, and I understand the ask, I'm bubbling it to people that knows it (I don't personally handle packages that starts with azure-mgmt-xxxxx)

[budaesandrei]

Any updates on this?
I am following the documentation on docs.microsoft.com and at this point they are useless

[lmazuel]

@budaesandrei Since the beginning of this issue, there is more and more packages that supports azure-identity. We're still working on a public schedule for the list of the remaining part. If there is a specific package you are looking for, please post the name here.

[bmc-msft]

@lmazuel, these are packages that I use that I believe do not yet support azure-identity:

• GraphRbacManagementClient
• ApplicationInsightsDataClient

[budaesandrei]

@lmazuel Thanks for the support. I had upgraded azure-identity but I was running my code on a kernel with a lower version

[tsotsos]

Hello!
@lmazuel is the azure.mgmt.resource now supports azure-identity?
I am especially asking for SubscriptionClient.
tx

[jbouzekri]

Tested with azure-identity==1.5.0 and azure-mgmt-resource==16.0.0, the issue is still there

Traceback (most recent call last): 
File "C:\Temp\rqyql2wh.slg\827b7600-9ae9-42da-8dac-7b401c6b18d8", line 362, in <module> with_error_clusters, processed_clusters, not_found_clusters = main(cluster_names, action, use_vmss, dry_mode, 
File "C:\Temp\rqyql2wh.slg\827b7600-9ae9-42da-8dac-7b401c6b18d8", line 254, in main resource_groups = list(resource_client.resource_groups.list()) 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\paging.py", line 143, in __next__ self.advance_page() 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\paging.py", line 129, in advance_page self._response = self._get_next(self.next_link) 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\mgmt\resource\resources\v2018_05_01\operations\resource_groups_operations.py", line 512, in internal_paging response = self._client.send(request, stream=False, **operation_config) 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\service_client.py", line 336, in send pipeline_response = self.config.pipeline.run(request, **kwargs) 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\pipeline\__init__.py", line 197, in run return first_node.send(pipeline_request, **kwargs) # type: ignore 
File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\pipeline\__init__.py", line 150, in send response = self.next.send(request, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msrest\pipeline\requests.py", line 65, in send self._creds.signed_session(session)AttributeError: 'ClientSecretCredential' object has no attribute 'signed_session'

My bad, I was running the script in an azure automation runbook where I did not load the correct version of the package. After importing version 16.0.0, resource client is working with ClientSecretCredential

[gilmatok]

ContainerRegistryManagementClient also does not support azure-identity.

[Dmitry1987]

Year 2050, Azure still exists (unfortunately for all), the fix is not there yet, but Azure folks look forward to fixing it soon 🤣

[pito2808]

hi,

azure.mgmt.recoveryservices doesnt work with azure-identity.

[pito2808]

sorry . azure.mgmt.recoveryservicesbackup doesnt work with azure-identity but azure.mgmt.recoveryservices seems ok.
i have to use CredentialWrapper to make recoveryServicesBackupClient works.

[lizzbazan]

Hi is there another way to workaround?

I'm trying with the object ComputeManagementClient from package azure.mgmt.compute, and using ClientSecretCredential object as a parameter but i get this error 'ClientSecretCredential' object has no attribute 'signed_session'

Please I would appreciate the help

[jbouzekri]

@lizzbazan : with ClientSecretCredential, you need to provide tenant_id, client_id and client_secret. See the documentation : https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.clientsecretcredential?view=azure-python

These credentials can be generated with the azure cli command ad sp create-for-rbac : https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac

from azure.identity import ClientSecretCredential
azure_credential = ClientSecretCredential(tenant_id, client_id, client_secret)

[lizzbazan]

@jbouzekri I'm doing that but the problem is with that signed_session error, is not implemented yet i guess and not working for ComputeManagementClient, but it works for subscriptionClient

[jbouzekri]

@lizzbazan : I have used it with success with these versions of the libraries :

azure-mgmt-compute==19.0.0
azure-mgmt-resource==16.0.0
azure-identity==1.5.0

[adnartm]

Trying to use DnsManagementClient.record_sets.create_or_update results in the same "signed_session" error.

The DNS management library works fine when using a regular user's credentials but it won't work with a Service Principal.

[mmasiuk]

Hello guys,

I've occurred same problem for below packages version:
azure-identity-1.7.1
azure-graphrbac-0.61.1

AttributeError: 'AzureCliCredential' object has no attribute 'signed_session'

The same appears once using DefaultAzureCredential.
Any chance to know if there is any workaround or when azure-graphrbac will get update?
Many thanks in advance!

[ghost]

Hi @bmc-msft. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

[ghost]

Hi @bmc-msft, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.

[mmasiuk]

/unresolve

[ghost]

Hi mmasiuk, only the original author of the issue can ask that it be unresolved. Please open a new issue with your scenario and details if you would like to discuss this topic with the team.

[BC89]

This is so poor. Batch just seems abandoned.