azure-sdk-for-python: DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086'

  • Azure Identity:
  • 1.10 and 1.11:
  • Linux:
  • 3.8:

Describe the bug We currently have an azure function app behind and API. This function interacts several third party services, Cosmo, Sales Force to name a through. The functions will run

credential = DefaultAzureCredential(exclude_visual_studio_code_credential = True, exclude_shared_token_cache_credential=True) client = SecretClient(vault_url=f"https://{enviroment}apiapp.vault.azure.net/", credential=credential, logging_enable=True)

After 24 hours we start seeing the error: “FailureException: ClientAuthenticationError: (Unauthorized) [TokenExpired] Error validating token: ‘S2S12086’.Code: UnauthorizedMessage: [TokenExpired] Error validating token: ‘S2S12086’”

If we restart the function app or wait about 15 minute it starts working again.

To Reproduce Steps to reproduce the behavior:

  1. Deploy function app that uses DefaultAzureCredential to access KeyVault.
  2. Run function every minute for 24 hours.
  3. After 24 hours you should start to receive this message.

Expected behavior I would expect the credential to not expire, or issue a new credential if it expires without a user seeing an error.

Additional context This was working through April. We did a deploy in May after 1.10 came out and we started having the problem. Did lots of trouble shooting and trying different settings. Eventually found a similar problem on the sdk for js. https://github.com/Azure/azure-sdk-for-js/issues/22722 that got us looking at release dates of version for the Python package that line up.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

After 24 hours you should start to receive this message.

I had the same problem, fix was not to cache client = new SecretClient(... (at least do not cache it forever, refresh once a hour or so). I started re-creating of new ManagedIdentityCredential() and making of a new SecretClient from it and problem has gone for now.

Cant say it for sure, but it seems like one of the objects above makes a token which gets stale after some time.

I believe the similar problem is in issue #27266

I use @azure/identity 3.1.1 Package Name: @azure/identity Package Version: ^3.1.1 Operating system: Linux Nodejs version: 16.14.12

+1
KEMBL on Dec 2, 2022

@mccoyp Thank you for getting back.

We currently don’t have the azure-keyvault-secrets version locked so the most recent deploy is using 4.6.0.

Some added information, as an experiment last week we locked azure identity to version 1.9.0 and since then we have not had the authentication problem. Its only been three days since we stopped restarting the Azure function automatically every 12 hours, but we would normally see the problem at the 24 hour mark.

+1
nathan-copperfrog on Nov 17, 2022
Read more comments on GitHub
← azure-sdk-for-net: Upload blob async frozen when using memory stream, no error
azure-sdk-for-python: ImportError: cannot import name 'SerializationError' from 'azure.core.exceptions' →