0

So I'm having all sorts of problems trying to authenticate a Python environment. My ultimate goal here is to use the Azure AppConfiguration SDK to read values from an AppConfig service in Azure. But right now I'm failing at the very first hurdle.

FYI I'm running all of this on a Windows 11 machine using VS Code (run as Administrator). I have the latest Azure CLI installed.

My Azure App Config script is as follows:


from azure.identity import DefaultAzureCredential
from azure.appconfiguration import AzureAppConfigurationClient

appCfgUrl = os.environ["AppConfigUrl"]
credential = DefaultAzureCredential()
client = AzureAppConfigurationClient(appCfgUrl, credential)
value = client.get_configuration_setting(configKey)

But this results in the error:

DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: Authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://Endpoint=https://foo.azconfig.io;Id=XXXXXX;Secret=YYYYYY=/.default is not valid.

So I thought maybe there was something wrong with the AppConfig SDK, or the way I'm implementing it, so I thought I'd try going direct and just connecting straight to the Azure CLI directly using the following code as suggested by Authenticating Azure CLI with Python SDK

import os
from azure.cli.core import get_default_cli

az_cli = get_default_cli()

clientId = os.environ["AZURE_CLIENT_ID"]
clientSecret = os.environ["AZURE_CLIENT_SECRET"]
tenantId = os.environ["AZURE_TENANT_ID"]

az_cli.invoke(['login', '--service-principal', 
               '-u', clientId, 
               '-p', clientSecret,
               '--tenant',tenantId])

However, this just results in the error message

No module named 'azure.cli.command_modules'.
'login' is misspelled or not recognized by the system.

I've tried both pip install azure.cli.core as well as pip install azure-cli

I've also upgraded the Azure CLI on my machine. I can successfully authenticate to the Azure CLI in both Bash and PowerShell without any issues - and I have another .NET C# project which uses Azure CLI without problems.

At this point I'm really tearing my hair out. I've tried using hard-coded values for the service principal, as well as using locally defined Environment Variables - but none of them work.

As mentioned, I've done all of this in .NET in both Unit Tests, an Azure Function App and an Azure Web App without any issues at all, but doing this in Python appears to have just hit a hard stop.

Martin Hatch
  • 279
  • 2
  • 16

1 Answers1

0

From the attached error message, it appears your configuration store's full connection string has been saved in the "AppConfigUrl" environment variable. To authenticate using your azure credentials, the appCfgUrl variable should be your store's endpoint only, i.e., https://your-store-name.azconfig.io. To authenticate with your connection string, you can create your client as shown below:

client = AzureAppConfigurationClient.from_connection_string(<AZURE-APPCONFIGURATION-CONNECTION-STRING>)

More information and samples can be found here. I hope this helps.

By the way, you can also use the App Configuration Python Provider which enables you to access and use your configuration settings like a python dictionary.

Albert Ofori
  • 1
  • 1