KustoManagementClient unable to use ManagedIdentityCredential

[mgmm13]

• Package Name: azure.mgmt.kusto
• Package Version: 3.1.0
• Operating System: Linux
• Python Version: 3.9

Describe the bug Initializing the management client from KustoManagementClient does not let us proceed if the provided credential is a ManagedIdentityCredential.

Previously we are using DefaultAzureCredential which utilizes the EnvironmentCredential as we have defined the 3 variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET and it works fine. Now due to a setup change, we are not extracting the AZURE_CLIENT_SECRET anymore and we need to utilize credentials from Managed Identity. But using ManagedIdentityCredential does not work and is returning an html type or token.

To Reproduce Steps to reproduce the behavior:

1. Instead of DefaultAzureCredential, we changed the code to the following:

   management_client = KustoManagementClient(
           credential=ManagedIdentityCredential(client_id=mi_client_id),
           subscription_id=adx_subscription_id,
       )

2. During internal calls we are getting

   ImdsCredential.get_token failed: Unexpected content type "text/html"
   Content: <!doctype html>
   ...

Expected behavior Expecting a successful initialization of management client

Screenshots N/A

Additional context We are using python sdk via script to setup a kusto management client that would add ADX permissions programatically

[github-actions[bot]]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[xiangyan99]

Thanks for reaching out.

Could you share more information about your environment?

Did you run the app on Azure service with managed identity enabled?

[github-actions[bot]]

Hi @mgmm13. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[mgmm13]

Hi @xiangyan99

For additional context, the managed identity we are using would be a setup from OIDC. We also have setup this managed identity with Azure Data Explorer Database Admin role. The managed identity also has Contributor RBAC assigned for the whole subscription we are testing with.

[xiangyan99]

Thanks for the information. Do you run your app on an Azure VM? Have you enabled/attached the managed identity to the VM?

[github-actions[bot]]

Hi @mgmm13. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[mgmm13]

@xiangyan99 we are running the app script from Azure Devops agents (from a Linux agent pool).

[xiangyan99]

Thanks for the information.

ManagedIdentityCredential is not the right credential to be used on AzureDevOps agent.

Please use AzurePipelineCredential instead. (and please make sure you have configured the pipeline correctly).

[github-actions[bot]]

Hi @mgmm13. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[mgmm13]

Hi @xiangyan99 will check if we can use AzurePipelineCredential. Thanks for the response. I'll update this thread accordingly.

[mgmm13]

Hi @xiangyan99 and team, so far we are able to successfully use AzurePipelinesCredential with Kusto management client, we also have cascaded it to other parts of our code that uses kusto connection (azure.kusto.data with KustoConnectionStringBuilder). Thank you so much for the assistance.