DefaultAzureCredential Error EnvHelper()

[AthanasiosPavlou]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Launching the Azure template

Any log messages given by the failure

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/streamlit/runtime/scriptrunner/script_runner.py", line 535, in _run_script exec(code, module.dict) File "/usr/local/src/myscripts/admin/pages/04_Configuration.py", line 25, in config = ConfigHelper.get_active_config_or_default() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 66, in get_active_config_or_default config = ConfigHelper.get_default_config() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 194, in get_default_config return Config(default_config) ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 23, in init self.env_helper = EnvHelper() ^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/EnvHelper.py", line 50, in init self.OPENAI_API_KEY = DefaultAzureCredential(exclude_shared_token_cache_credential=True).get_token("https://cognitiveservices.azure.com/.default").token ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/azure/identity/_credentials/default.py", line 225, in get_token token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/azure/identity/_credentials/chained.py", line 124, in get_token

Expected/desired behavior

No errors thrown before change: Authenticate using RBAC instead of API Keys for Azure Search & Azure Open AI resources (#186)

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

All above

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[AthanasiosPavlou]

ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue. ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. AzureCliCredential: Azure CLI not found on path AzurePowerShellCredential: PowerShell is not installed AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot. Traceback: File "/usr/local/lib/python3.11/site-packages/streamlit/runtime/scriptrunner/script_runner.py", line 535, in _run_script exec(code, module.dict) File "/usr/local/src/myscripts/admin/pages/04_Configuration.py", line 25, in config = ConfigHelper.get_active_config_or_default() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 66, in get_active_config_or_default config = ConfigHelper.get_default_config() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 194, in get_default_config return Config(default_config) ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/ConfigHelper.py", line 23, in init self.env_helper = EnvHelper() ^^^^^^^^^^^ File "/usr/local/src/myscripts/utilities/helpers/EnvHelper.py", line 50, in init self.OPENAI_API_KEY = DefaultAzureCredential(exclude_shared_token_cache_credential=True).get_token("https://cognitiveservices.azure.com/.default").token ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/azure/identity/_credentials/default.py", line 225, in get_token token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/azure/identity/_credentials/chained.py", line 124, in get_token raise ClientAuthenticationError(message=message)

[AthanasiosPavlou]

Because of the docker image the codebase is automatically picking up the above updates, and thus the deployed application stopped working. Please revert so that current deployments can resume functioning:

"WebAppImageName": "DOCKER|fruoccopublic.azurecr.io/rag-webapp",
"AdminWebAppImageName": "DOCKER|fruoccopublic.azurecr.io/rag-adminwebapp",
"BackendImageName": "DOCKER|fruoccopublic.azurecr.io/rag-backend",

[AthanasiosPavlou]

One more thing to add - due to environment restrictions/permissions not all of us have the option to turn on managed identity on Azure portal, assign rbac rules etc. So if you could please revert to the previous, the accelerator should resume operating

[komalg1]

@AthanasiosPavlou Can you please check if your solution is working fine?

[AthanasiosPavlou]

Hello - yep, it is now back up and running :)

[rmthurman]

I am having the same issue, and it is impacting a Stategic customer.... if they restart the web app, will it pick up the changes? How do we revert these changes? @komalg1 @AthanasiosPavlou

[komalg1]

I am having the same issue, and it is impacting a Stategic customer.... if they restart the web app, will it pick up the changes? How do we revert these changes? @komalg1 @AthanasiosPavlou

@rmthurman It will pick up the changes. It should work as before now. Let us know if you see any issues.

[rmthurman]

@komalg1 their environment is still broken.... are you available to troubleshoot with us today? How do I contact you internally?

[adamdougal]

@rmthurman Heya, can you ask them to set the ‘AZURE_AUTH_TYPE’ env var to ‘keys’ for the backend application?

[AthanasiosPavlou]

Hi @rmthurman and @komalg1. In my case, with no further changes from my end (apart from restarting both the admin and the chat webapps) the solution resumed working as usual.

[joshrenshaw12]

Hi - what options are there if we want to continue using rbac rather than keys?

[ross-p-smith]

1) You will need to deploy your infrastructure using rbac in the bicep deployment. The value you need to change is authType. This will create the RolePermissions necessary 2) You will then need to configure each AppServices configuration AZURE_AUTH_TYPE to rbac

[komalg1]

@joshrenshaw12 For local deployment you will need to add roles for your principal id. It can be done manually & programmatically. Please refer to the docs - Manually Assign roles Programmatically assign roles

[ross-p-smith]

@AthanasiosPavlou - can we close this now?