[Azure-Identity] How to properly use ChainedTokenCredential?

[gmantri]

Describe the bug
I am trying to implement ChainedTokenCredential wherein I would want the code to use ManagedIdentityCredential when it is run in Azure and VisualStudioCredential when it is running in Visual Studio. Based on the presentation by @jongio and his memealyzer project, I came up the following code:

                ChainedTokenCredential chainedTokenCredential = new ChainedTokenCredential(
                    new ManagedIdentityCredential(),
                    new VisualStudioCredential()
                    );
                SecretClient client = new SecretClient(new Uri("https://mykv.vault.azure.net"), chainedTokenCredential);
                KeyVaultSecret secret = await secretClient.GetSecretAsync("mysecretkeyname");

There are two issues I am facing with the code above:

1. When the code is run in Visual Studio, the code above fails with the following exception:

    Azure.Identity.CredentialUnavailableException: The ChainedTokenCredential failed to retrieve a token from the included credentials. 
    - ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found. 

The exception makes sense as I am running the code locally. However it is my understanding that the SDK will automatically try the next credential provider in the chain if there's an exception. In my case, I was expecting the code to try VisualStudioCredential automatically if getting token via ManagedIdentityCredential failed. However that is not happening.

2. If I comment out ManagedIdentityCredential and use just VisualStudioCredential, I am getting the following exception:

Azure.Identity.CredentialUnavailableException: Operating system Darwin 20.3.0 Darwin Kernel Version 20.3.0: Thu Jan 21 00:06:51 PST 2021; root:xnu-7195.81.3~1/RELEASE_ARM64_T8101 isn't supported.

I am using Visual Studio version 8.9.4 (build 25) on a MacBook Air (M1) and the project is developed using .Net 5. I am using Azure.Identity (version 1.3.0).

Expected behavior

1. ChainedCredential should automatically try the next provider in chain instead of throwing an exception.
2. VisualStudioCredential should not fail with root:xnu-7195.81.3~1/RELEASE_ARM64_T8101 isn't supported error.

Actual behavior (include Exception or Stack Trace)
I am not seeing the expected behavior and the code fails with the exceptions mentioned above.

Environment:

• Azure.Identity (1.3.0)
• MacOS (M1), .Net 5.0
• Visual Studio for Macversion 8.9.4 (build 25)

[jsquire]

Thank you for your feedback. Tagging and routing to the team members best able to assist.

[jongio]

@gmantri - Can you please try the latest beta release of Azure Identity? https://www.nuget.org/packages/Azure.Identity/1.4.0-beta.5

[gmantri]

@jongio - Thanks for replying. I tried with 1.4.0-beta.5 and unfortunately the result is the same.

In fact, I would say it got worse. I asked the same question on Stack Overflow as well (https://stackoverflow.com/questions/67014794/trying-to-make-some-sense-out-of-all-variants-of-token-credentials-while-getting) and with version 1.3 at least DefaultAzureCredential worked. With the beta version, it also failed with the following error:

Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. - EnvironmentCredential authentication unavailable. Environment variables are not fully configured. - ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found. - Operating system Darwin 20.3.0 Darwin Kernel Version 20.3.0: Thu Jan 21 00:06:51 PST 2021; root:xnu-7195.81.3~1/RELEASE_ARM64_T8101 isn't supported. - Stored credentials not found. Need to authenticate user in VSCode Azure Account. - Azure CLI not installed - PowerShell is not installed.

[jongio]

Okay, thanks. @schaabs and @christothes are the right folks to have a look.

[christothes]

Hi @gmantri It sounds like there are a few issues here:

1. ManagedIdentityCredential is throwing
2. VisualStudioCredential is failing
3. The latest client causes DefaultAzureCredential to fail

For the first issue, this would normally not surface as a thrown exception, but it will if no other credential succeeds. In the case that any subsequent credential in the chain did succeed, this exception would have been swallowed.

For the 2nd issue, unfortunately the VisualStudioCredential does not work for VS for Mac as it does not currently have support for logging in to Azure AD (besides for licensing). I've filed #20283 to track this. As a workaround to this, you could use the Azure CLI credential. The combination of ManagedIdentityCredential and AzureCliCredential should work for your scenario.

For the 3rd issue, one difference in the latest beta version is that there was a minor breaking change from previous betas which disables SharedTokenCacheCredential by default. It's possible that you were previously succeeding due to a cached credential.

If you want to dig into the DefaultAzureCredential issue further, we could get some more detailed information after reproducing this with logging enabled.

[gmantri]

Hi @christothes - Thanks for replying.

Regarding 1st issue, understood.

Regarding VisualStudioCredential not working on Mac, I understand it now. Thank you for raising an issue for this. It is very much appreciated.

I have already tried using Azure CLI credentials instead of Visual Studio Credentials but unfortunately that doesn't work either. After raising the issue here, I posted a more detailed question on Stack Overflow (https://stackoverflow.com/questions/67014794/trying-to-make-some-sense-out-of-all-variants-of-token-credentials-while-getting) and there I mentioned that Azure CLI credentials is failing with Azure CLI not installed error message. I have connected to Azure CLI both in the macOS terminal as well as Visual Studio terminal but getting the same error message. I am wondering if there're some special instructions that I need to follow to make that work.

Regarding breaking change, thanks! I was not aware of it. After reading about the reasoning behind it, it makes complete sense to me. To future proof my code, I will make this change in my code.

Thanks again for all your help.

[christothes]

The error for Azure CLI is definitely not expected. Internally, the credential runs the following command before it would throw this error:

/bin/sh az account get-access-token --output json --resource <some resource scope>

Do you get an error if you attempt to run this command manually from the shell prompt? I believe you'd need to format it like this:

/bin/sh -c "az account get-access-token --output json --resource <some resource scope>"

[gmantri]

Hi @christothes ... So I ran the following command from the terminal and was able to get the access token successfully:

/bin/sh -c "az account get-access-token --output json"

Please let me know if you want me to try something else?

Thanks for all your help.

[christothes]

I'm at a loss as to why the command works when you run it but not when the AzureCliCredential does. I've created a PR to improve the logging here to see if we can figure it out.

#20354

[gmantri]

Thanks @christothes. Please let me know how I can be of further assistance.

[christothes]

These logging changes took much longer than originally expected. They should be available in the next release (9/7). We've also since added some additional error handling scenarios to AzureCliCredential. Please try your scenario again with this upcoming release.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[iqoOopi]

var credential = new ChainedTokenCredential(new ClientCertificateCredential(tenantId, clientId, certificate), new VisualStudioCredential());

Hi there, I got the same issue if I chain ClientCertificateCredential with VisualStudioCredential. It will throw if the certificate is null instead of trying the second method. Usually the certificate is only for prod and it should be null when debug locally.

[jkylehumphrey]

I'm currently having the same issue. Specifically Visual Studio giving me an error when trying to run locally

Azure.Identity.CredentialUnavailableException: Azure CLI not installed

• Visual Studio 8.10.21 (build 4)
• azure-cli

• "azure-cli": "2.34.1",
  "azure-cli-core": "2.34.1",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
  

}```

running /bin/sh -c "az account get-access-token --output json" manually works fine

[bradyclifford]

Seeing similiar issue on Mac running dotnet project locally. Using az login.