Open felixnext opened 2 weeks ago
Also tried to reinstall the Azure CLI with no effect
Thanks for reaching out.
DefaultAzureCredential attempts a chain of credentials.
Could you share the information which credential did you expect to work?
Hi @felixnext. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Hi @xiangyan99 as mentioned above I would expect the CLI Credential to work. I also tried it separately. But it only works every once in a while. Meanwhile az cli is updated to latest version and works when accessing the keyvault directly with it.
Could you share your code snippet?
Hi @felixnext. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Sure. I have a function that triggeres the credentials:
from azure.identity import (
DefaultAzureCredential,
InteractiveBrowserCredential,
)
def get_credential(allow_browser: bool = True) -> DefaultAzureCredential:
return DefaultAzureCredential(
additionally_allowed_tenants=["*"],
# NOTE: this is due to bug in azure-sdk-for-python
# see: https://github.com/Azure/azure-sdk-for-python/issues/37167
exclude_interactive_browser_credential=not allow_browser,
)
Then they are used, for example with secret handler like this:
from azure.keyvault.secrets import SecretClient
from azure.core.exceptions import ResourceNotFoundError
class FooBar
def __init__(self, vault_name):
# ....
self.credential = get_credential()
self.client = SecretClient(
vault_url=f"https://{vault_name}.vault.azure.net",
credential=self.credential,
)
def has_secret(self, name: str) -> bool:
try:
return self.client.get_secret(name) is not None
except ResourceNotFoundError:
return False
Can you try run "az account get-access-token --output json --resource https://vault.azure.net" in the command windows and share the output? (please sanitize sensitive data)
Hi @felixnext. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Here:
{
"accessToken": "ey*************",
"expiresOn": "2024-09-05 22:19:56.000000",
"expires_on": 1725567596,
"subscription": "************************************",
"tenant": "************************************",
"tokenType": "Bearer"
}
Thank you.
Is it possible because the process needs more time?
Can you try AzureCliCredential(process_timeout=60)
Hi @felixnext. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Thanks @xiangyan99 that seems to solve the problem. May I raise a feature request of making the error around the CLI more descriptive?
The proposal would be that it should highlight the timeout and suggest using the process_timeout
parameter. So instead of:
AzureCliCredential: Failed to invoke the Azure CLI
It would be:
AzureCliCredential: Timeout while invoking Azure CLI. (Use `process_timeout` to increase timeout duration)
@xiangyan99 As an update to this: I set the timer up to 30sec. It now works roughly 50% of the time. Setting it to 60sec improves that (but still some misses). Is there a way to diagnose underlying problems here? (My internet connection is at 250mbps, so do not think this is the issue). It would be great to fix this speed bump (as it takes a long time now to startup services for local debugging) as an agility enabler.
Thank you for the update. Based on what you're describing, the issue likely isn’t related to your network connection. The Python code starts a subprocess, so the underlying problem is more likely due to your machine's performance. If your machine is slow or there are multiple resource-intensive processes running, it could lead to delays. This is especially true if you're running the code in a VM that shares resources with other processes. Checking your CPU usage and system load when the issue occurs might help identify the cause.
Hi @felixnext. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
@xiangyan99 Hm. Okay. That lowers dev-agility on the CLI a bit. Is there ongoing work to make CLI less resource hungry? And loop back on the feature request for a more expressive error message, that would help a lot here I think.
Another thing worse considering is dynamic timeouts. Not sure how much engineering effort it would be to retrieve current system load and make the timeout adaptive to that (and allowing users to set a flag for that)? (psutil might be a good lib for that)
Packages:
Describe the bug I am trying to retrieve an Azure credential for connecting to key-vault. I have tried
DefaultCredential
,AzureCliCredential
, etc. But always get the following error:Strange thing is it works in 2% of the cases (roughly every 50 times I execute the code). Also
InteractiveBrowser
is working, but annoying for this usecase. It worked 2 days ago, so it seems like a regression (with no changes to version, etc). Since then updated (to Azure CLI 2.63.0) with no effect. Running az cli directly works without problems and I can interact with the keyvault. So the problem here really seems that for some reason the Python SDK cannot interact with the installed version of azure cli.To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.