search

Azure / azure-sdk-for-rust

This repository is for active development of the *unofficial* Azure SDK for Rust. This repository is *not* supported by the Azure SDK team.
MIT License
680 stars 232 forks source link

[help] - Using the Default Azure Credential to authenticate to CosmosDB #1593

Closed andrewschmidgit closed 3 weeks ago

andrewschmidgit commented 5 months ago

Hi!

I'm attempting to use the DefaultAzureCredential to authenticate to CosmosDB within an Azure function project. This is the error I am receiving when using the CosmosClient to perform a document patch ({cosmos-db-account-name} is the actual account name):

Multiple errors were encountered while attempting to authenticate:

environment credential - request token error - Server returned error response

IMDS timeout - operation timed out

az-cli - 'az account get-access-token' command failed: ERROR: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://{cosmos-db-account-name}.documents.azure.com offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>

Relevant Info

Cargo.toml

[dependencies]
azure_data_cosmos = { version = "0.19", default-features = false, features = ["enable_reqwest_rustls", "hmac_rust"] }
azure_identity = { version = "0.19", default-features = false, features = ["enable_reqwest_rustls"] }
...

CosmosClient setup:

fn get_cosmos_client(config: &CosmosSettings) -> Result<CosmosClient, Box<dyn Error>> {
    let credential = DefaultAzureCredentialBuilder::new().build();
    let token = AuthorizationToken::TokenCredential(Arc::new(credential));
    let client = CosmosClientBuilder::new(config.account_name.clone(), token).build();
    Ok(client)
}

Any help would be greatly appreciated, and I'm happy to provide more info as needed

andrewschmidgit commented 5 months ago

This may be related to #1584, at least when this error appears when the function app is deployed

johnbatty commented 5 months ago

I suspect that this may be related to a recent change to TokenCredential such that it now expects a list of scopes as a parameter rather than a resource. https://github.com/Azure/azure-sdk-for-rust/pull/1493

I think that the fix may be to add a /.default suffix to the scope generated here: https://github.com/Azure/azure-sdk-for-rust/blob/main/sdk/data_cosmos/src/authorization_policy.rs#L193

devigned commented 3 weeks ago

I'm running into the same issue. As @johnbatty has mentioned, it is a malformed scope for the cosmos client. You can see the correctly formatted .default scope in the Azure SDK for Go. You can also verify this by authenticating with the scope via Azure CLI using: az login --scope https://${YOUR_ACCOUNT_NAME}.documents.azure.com/.default.

The current scope being passed is https://${YOUR_ACCOUNT_NAME}.documents.azure.com, which responds with the aforementioned error.

Related: https://github.com/fermyon/spin/pull/2566