DefaultAzureCredentials fails with "Access denied" when connecting to key vault

[holwech]

• Package Name: azure-identity
• Package Version: 1.5.0
• Operating System: Windows 10
• Python Version: 3.8.2

Describe the bug
Visual studio code credentials not working when trying to connect to key vault (and possibly other types of resources?). If I disable the VSCode credentials, it probably uses Azure CLI credentials instead, which works fine. Note that DefaultAzureCredential used to work, but stopped for some reason (might have stopped working after I installed MS Teams?). I'm very certain that I have logged into the same account in VSCode, Azure CLI and in Windows.

To Reproduce
Setup a key vault and give yourself access. Add a secret to the key vault and run the following code

# %%
from azure.cosmos import CosmosClient
from azure.identity import DefaultAzureCredential 
from azure.keyvault.secrets import SecretClient

#%%

# Fails

credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://KEY_VAULT_NAME.vault.azure.net/", credential=credential)
client.get_secret("DbConnectionString").value


# %%

# Works fine 

credential = DefaultAzureCredential(exclude_visual_studio_code_credential=True)
client = SecretClient(vault_url="https://KEY_VAULT_NAME.vault.azure.net/", credential=credential)
client.get_secret("DbConnectionString").value

Log output

EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

Error (IDs removed)

(Forbidden) Access denied to first party service.
Caller: name=from-infra;tid=;appid=;iss=https://sts.windows.net//
Vault: ;location=

Expected behavior
The script should be able to pull the secret and print the value.

Additional context
Not sure if this is really belongs here, but I don't really know where else to direct this.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @southpolesteve, @zfoster

[chlowell]

"Access denied to first party service" typically occurs with MSA accounts, i.e. user accounts from @hotmail.com, @live.com, @outlook.com. Are you signed in to VS Code with one of those accounts?

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[shoresh57]

I am using vscode with outlook account and get the same error : HttpResponseError: (Forbidden) Access denied to first party service.
credential = DefaultAzureCredential()
print(credential)
client = SecretClient(vault_url=KVUri, credential=credential)

svc_pr_password = client.get_secret(secretName)

[chlowell]

You'll see this error when trying to authenticate an MSA account through the credential's default tenant, which can only authenticate work or school accounts. Specify the tenant to work around it:

DefaultAzureCredential(vscode_tenant_id="some UUID")

# or if you want to authenticate only through VS Code
VisualStudioCodeCredential(tenant_id="some UUID")

#14808 tracks making this more convenient by using the tenant configured in VS Code's user settings, if any.

[shoresh57]

@chlowell Thanks it helped

[samyKhezandji]

what is vscode_tenant_id ? where to find ?

[chlowell]

vscode_tenant_id is the ID of the tenant in which you want to authenticate the user signed in to Visual Studio Code. In azure-identity 1.6.0, the credential defaults to authenticating in the user's home tenant. In azure-identity 1.7.0b1 and above, it defaults to authenticating in the tenant configured in VS Code (the "Azure:Tenant" setting, which also defaults to the user's home tenant).

You only need to specify a tenant ID when you want to authenticate in a different tenant. The value is typically a UUID like b0ae42e0-496e-4216-8811-e64c72a29c59 (which is just a random UUID, not a real tenant's ID). The correct value depends on the resource(s) you want to access. For example, if you want to access a Key Vault in tenant "A", you should set vscode_tenant_id="A". There are several ways to get a resource's tenant ID. For example, you can use the Azure CLI (e.g. for a Key Vault you want az keyvault show) or the Azure Portal (where it's sometimes called a "directory ID").