问题描述
Azure ChainedTokenCredential 更改密码后本地开发失败。我已经使用 ChainedTokenCredential 数周来在 Azure 中使用 ManagedIdentityCredential 进行身份验证,并使用 DefaultAzureCredential 对我的 Function App 进行本地测试。一切都按预期进行。这是一个在 Azure 中有效但在本地仍有效的代码示例。
def get_client():
MSI_credential = ManagedIdentityCredential()
default_credential = DefaultAzureCredential()
credential_chain = ChainedTokenCredential(MSI_credential,default_credential)
storageurl = os.environ["STORAGE_ACCOUNT"]
client = BlobServiceClient(storageurl,credential=credential_chain)
return client
上周我不得不更改我的密码,从那时起我收到以下错误。
[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token Failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked,a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token Failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked,a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID:
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential Failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable,no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked,a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token Failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential Failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable,a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential Failed to retrieve a token from the included credentials.
Attempted credentials:
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable,no managed identity endpoint found.
DefaultAzureCredential: DefaultAzureCredential Failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable,a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'
我尝试解决的问题:
- 登录和注销 VSCode Azure 扩展
- 登录和退出
az cli az account clear- 清除浏览器缓存。
- 重新启动 PC 和 VSCode。
- 清除 VSCode 缓存
C:\Users\<user>\AppData\Roaming\Code\CacheC:\Users\<user>\AppData\Roaming\Code\CacheData
我正在使用 Azure 扩展“附加到 Python 函数”来运行调试器。我不确定 DefaultAzureCredential 如何获得我的凭据。我相信它存储在本地,因为我在未登录 Azure 扩展的情况下运行调试器时遇到相同的错误。我以为 DefaultAzureCredential 会使用我的 Azure 扩展登录作为我进行身份验证,但我不确定。
任何帮助将不胜感激!
解决方法
在az account clear之后,您需要az login使用您的最新密码,您可以使用该密码登录azure portal。
DefaultAzureCredential 基于 Azure Identity 客户端库。您可以使用
跳过共享缓存default_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
并尝试通过 Azure CLI 进行身份验证。
,问题已通过使用@Charles Lowell 的解决方案解决。由于使用 fzf.exe(模糊查找工具),我无法找到该文件,并且默认情况下它不会在隐藏文件夹中查找。删除 C:\Users\<user>\AppData\Local\.IdentityService\msal.cache 有效。
我发现另一种方法是使用 VisualStudioCodeCredential() 而不是 DefaultAzureCredential()。这使用 vscode 扩展进行身份验证。我更喜欢这种方法,但并非所有开发人员都使用 VSCode。我很高兴让 DefaultAzureCredential 工作。
def get_client():
MSI_credential = ManagedIdentityCredential()
vscode_credential = VisualStudioCodeCredential()
credential_chain = ChainedTokenCredential(MSI_credential,vscode_credential)
有关 DefaultAzureCredential() 的更多信息,请参见 here。
谢谢大家!