>>> from azure.identity import ManagedIdentityCredential
>>> from azure.keyvault.secrets import SecretClient
>>> credential = ManagedIdentityCredential()
>>> client = SecretClient("[https://mcpatino-kv.vault.azure.net"](), credential)
>>> client.get_secret("rsa-key")
CloudShellCredential.get_token failed: request() got an unexpected keyword argument 'tenant_id'
ManagedIdentityCredential.get_token failed: request() got an unexpected keyword argument 'tenant_id'
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/tracing/decorator.py", line 83, in wrapper_use_tracer
return func(*args, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_client.py", line 73, in get_secret
**kwargs
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1525, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_generated/v7_3_preview/operations/_key_vault_client_operations.py", line 286, in get_secret
pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 2 more times]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_redirect.py", line 158, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 128, in send
request_authorized = self.on_challenge(request, response)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 102, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_authentication.py", line 107, in authorize_request
self._token = self._credential.get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/decorators.py", line 30, in wrapper
token = fn(*args, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_credentials/managed_identity.py", line 119, in get_token
return self._credential.get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_base.py", line 52, in get_token
return super(ManagedIdentityBase, self).get_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/get_token_mixin.py", line 76, in get_token
token = self._request_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_base.py", line 62, in _request_token
return cast(ManagedIdentityClient, self._client).request_token(*scopes, **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/identity/_internal/managed_identity_client.py", line 123, in request_token
response = self._pipeline.run(request, retry_on_methods=[request.method], **kwargs)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 1 more time]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 445, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 1 more time]
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 103, in send
self._sender.send(request.http_request, **request.context.options),
File "/home/mccoy/.local/lib/python3.7/site-packages/azure/core/pipeline/transport/_requests_basic.py", line 337, in send
**kwargs)
TypeError: request() got an unexpected keyword argument 'tenant_id'
March will be the GA of the new KeyVault SDK that uses the
tenant_idkwarg ofget_token. In all circumstances, KV will inject that kwarg.Today, azure-identity is not ready for this change. For instance, it doesn't work for ManagedIdentity :
Details
For March, we need unittests and live-tests that all credentials shipped part of the azure-identity packages support injection of tenant_id. If tenant_id is not a concept for that credentials implementation, it should be ignored (do NOT raise with something like
ValueError("tenant_id is not a supported kwarg")since it would make this credential incompatible with KV at all time.)cc @joshfree @schaabs