search

Azure / azure-workload-identity

Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
https://azure.github.io/azure-workload-identity
MIT License
288 stars 86 forks source link

python example not working with latest package versions #1395

Open zadigus opened 1 week ago

zadigus commented 1 week ago

Is your feature request related to a problem? Please describe.

I was looking to make this example working with the latest package versions for msal and azure-keyvault-secrets. Unfortunately, when I do so, I get the following error:

[...]
  File "/venv/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/keyvault/secrets/_client.py", line 64, in get_secret
    bundle = self._client.get_secret(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_operations/_operations.py", line 751, in get_secret
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 229, in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/policies/_retry.py", line 532, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 135, in send
    request_authorized = self.on_challenge(request, response)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 137, in on_challenge
    self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
  File "/venv/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 113, in authorize_request
    self._token = self._credential.get_token(*scopes, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/mdl_client_auth/_vault/_custom_token_credential.py", line 34, in get_token
    token = self._app.acquire_token_for_client(scopes)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/msal/application.py", line 2050, in acquire_token_for_client
    return _clean_up(self._acquire_token_silent_with_error(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/msal/application.py", line 1286, in _acquire_token_silent_with_error
    assert isinstance(scopes, list), "Invalid parameter type"
           ^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: Invalid parameter type

Describe the solution you'd like

I would like to know what changes I should make to your example so that it works with the latest versions of the azure-keyvault-secrets and msal libraries.

Describe alternatives you've considered

Keeping those versions pinned, but then I have conflicts with other packages I am using.

Additional context

zadigus commented 1 week ago

Ok so apparently it's enough to change your MyClientAssertionCredential.get_token method in file token_credential.py like this

def get_token(self, *scopes, **kwargs):
        # get the token using the application
        # this is the change!
        token = self.app.acquire_token_for_client(list(scopes))
        if 'error' in token:
            raise Exception(token['error_description'])
        expires_on = time.time() + token['expires_in']
        # return an access token with the token string and expiration time
        return AccessToken(token['access_token'], int(expires_on))