search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.36k stars 2.71k forks source link

azure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenTenant) #35268

Closed LiliDeng closed 2 months ago

LiliDeng commented 2 months ago

In ADO, I created service connection with Workload Identity federation (automatic) and used it in the pipeline like this way, it worked well, and listed all the resource groups.

      - task: AzureCLI@2
        inputs:
          azureSubscription: 'name'
          scriptType: ps
          scriptLocation: inlineScript
          inlineScript: |
            az account show
            az group list

in the inline script, I used below code with azure python sdk, it threw the exception, I used "azure-identity ~= 1.13.0", any idea what may cause this issue?

            credential = DefaultAzureCredential(
                authority=self.cloud.endpoints.active_directory,
            )

            with SubscriptionClient(
                credential,
                base_url=self.cloud.endpoints.resource_manager,
                credential_scopes=[self.cloud.endpoints.resource_manager + "/.default"],
            ) as self._sub_client:
                # suppress warning message by search for different credential types
                azure_identity_logger = logging.getLogger("azure.identity")
                azure_identity_logger.setLevel(logging.ERROR)
                with global_credential_access_lock:
                    subscription = self._sub_client.subscriptions.get(    <=============== exception thrown out in this line
                        self.subscription_id
                    )
azure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenTenant) The access token is from the wrong issuer 'https://sts.windows.net/A/'. It must match the tenant 'https://sts.windows.net/B/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/B' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
Code: InvalidAuthenticationTokenTenant
Message: The access token is from the wrong issuer 'https://sts.windows.net/A/'. It must match the tenant 'https://sts.windows.net/B/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/B' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
LiliDeng commented 2 months ago

@xiangyan99 thanks for looking into this. Using below code works, but I want to evaluate the impact if use exclude_managed_identity_credential credential = DefaultAzureCredential( authority=self.cloud.endpoints.active_directory, exclude_managed_identity_credential=True, )

LiliDeng commented 2 months ago

give below environment variables, then it worked well, no need to set exclude_managed_identity_credential os.environ["AZURE_CLIENT_ID"] os.environ["AZURE_TENANT_ID"]