azure-sdk-for-python: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.

  • Package Name: azure.identity
  • Package Version: 1.12.0
  • Operating System: Windows
  • Python Version: 3.7.12

Describe the bug I load ml_client as below, from config.json in local folder.

credential = DefaultAzureCredential()
ml_client = MLClient(credential, subscription_id, resource_group, workspace_name)

I get below error when ml_client trys to get the token internally. Its collecting stale token from cache.

File "C:\go\setup\anaconda\envs\e2e_test\lib\site-packages\azure\identity\_credentials\chained.py", line 108, in get_token
    raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2023-02-09T17:58:24.8491242Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2023-02-18T15:27:11.0000000Z'.
Trace ID: 6849addd-100a-497e-887e-c2bc6f5c0300
Correlation ID: a1dc633f-0908-4613-8248-ad10ee704be8
Timestamp: 2023-02-21 09:34:07Z'
Content: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2023-02-09T17:58:24.8491242Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2023-02-18T15:27:11.0000000Z'.\r\nTrace ID: 6849addd-100a-497e-887e-c2bc6f5c0300\r\nCorrelation ID: a1dc633f-0908-4613-8248-ad10ee704be8\r\nTimestamp: 2023-02-21 09:34:07Z","error_codes":[50173],"timestamp":"2023-02-21 09:34:07Z","trace_id":"6849addd-100a-497e-887e-c2bc6f5c0300","correlation_id":"a1dc633f-0908-4613-8248-ad10ee704be8","error_uri":"https://login.microsoftonline.com/error?code=50173"}
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
  • I am able to authenticate using InteractiveBrowserCredential()
  • I am able to authenticate using cliI don’t remember changing password recently
  • I tried, to do az upgrade, az login, clear cache in .azure folder under C://Users/<alias>; but DefaultAzureCredential() didn’t work. It was still taking stale token.

I was able to resolve above issue by manually deleting msal.cache , msalV2.cache files under .IdentityService folder, under os.environ[“LOCALAPPDATA”]

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 21 (7 by maintainers)

Most upvoted comments

It looks to me that you have logged in using Visual Studio and the token has expired.

Can you try

credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
ml_client = MLClient(credential, subscription_id, resource_group, workspace_name)

to see if it works?

Issue has been solved by adding managed identity. You can close the issue. Thanks for the help.