AzureChainedTokenCredential在密码更改后无法进行本地开发。几个星期以来,我一直在使用ChainedTokenCredential在Azure中使用ManagedIdentityCredential进行身份验证,并使用DefaultAzureCredential对我的Function App进行本地测试。一切如常。这里有一个代码示例,它在Azure中仍然有效,但在本地无效。
def get_client():
MSI_credential = ManagedIdentityCredential()
default_credential = DefaultAzureCredential()
credential_chain = ChainedTokenCredential(MSI_credential, default_credential)
storageurl = os.environ["STORAGE_ACCOUNT"]
client = BlobServiceClient(storageurl, credential=credential_chain)
return client
上周我不得不更改密码,从那以后我出现了以下错误。
[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID:
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'
我试图解决的问题:
- 登录和退出VSCode Azure扩展
- 登录和退出
az cli az account clear- 正在清除浏览器缓存
- 正在重新启动PC和VSCode
- 清除VSCode缓存
C:Users<user>AppDataRoamingCodeCacheC:Users<user>AppDataRoamingCodeCacheData
我正在使用Azure扩展"附加到Python函数"来运行调试器。我不确定DefaultAzureCredential是如何获得我的证书的。我相信它是本地存储的,因为我在未登录Azure扩展的情况下运行调试器时会遇到同样的错误。我以为DefaultAzureCredential会使用我的Azure扩展登录作为身份验证,但我不确定。
任何帮助都将不胜感激!
使用@Charles Lowell的解决方案解决了该问题。由于使用fzf.exe(模糊查找工具(,我在查找文件时遇到了问题,默认情况下它不会在隐藏文件夹中查找。删除C:Users<user>AppDataLocal.IdentityServicemsal.cache成功。
我发现的一个替代方案是使用VisualStudioCodeCredential()而不是DefaultAzureCredential()。这使用vscode扩展进行身份验证。我更喜欢这种方法,但不是所有的开发人员都使用VSCode。我很高兴DefaultAzureCredential能正常工作。
def get_client():
MSI_credential = ManagedIdentityCredential()
vscode_credential = VisualStudioCodeCredential()
credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)
有关DefaultAzureCredential()的更多信息,请点击此处。
感谢大家!
az account clear之后,您需要使用您的最新密码az login,即您可以登录azure门户的密码。
DefaultAzureCredential基于Azure Identity客户端库。您可以使用跳过共享缓存
default_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
并尝试通过Azure CLI进行身份验证。