Skip to content

Azure.Identity: VisualStudioCodeCredential causes difficult to debug issues when using a live account #19511

New issue
New issue
Closed
Closed
Azure.Identity: VisualStudioCodeCredential causes difficult to debug issues when using a live account#19511
Assignees
schaabs
Labels
Azure.IdentityClientThis issue is related to a non-management packagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@allanlw

Description

@allanlw
allanlw
opened on Mar 14, 2021

Summary: When using the DefaultAzureCredential (and therefore VisualStudioCodeCredential), and being logged into VSCode with an Azure account where the login is via Microsoft Live leads to tenant errors unless the tenant is explicitly set in the VSCode options.

Attempting to run the following code:

TokenCredential credential = new DefaultAzureCredential();
var rmClient = new ResourcesManagementClient(subscriptionId, credential);
var tenantId = (await rmClient.Subscriptions.GetAsync(subscriptionId)).Value.TenantId;

Gives me the following error:

[2021-03-14T06:46:11.669Z]
[2021-03-14T06:46:11.669Z] Content:
[2021-03-14T06:46:11.670Z] {"error":{"code":"InvalidAuthenticationTokenTenant","message":"The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/'. It must match the tenant 'https://sts.windows.net/<MY TENANT GUID>/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/<MY TENANT GUID>' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."}}

You'll note that f8cdef31-a31e-4b4a-93e4-5f571e91255a is the default dummy tenant for Microsoft live accounts, which is sort of documented here.

Setting the azure.tenant seting in the VSCode Azure login package solves the problem. Logging out of VSCode Azure login also worked for me because it would then pick up my Azure CLI credentials, which automatically have the right tenant ID.

I believe this is a bug in Azure.Identity because I have no other issues using the VSCode azure login plugin without explicitly setting the tenant ID.

Environment:
VSCode version: 1.54.2
VSCode Azure Account plugin version: 0.97
Azure.Identity version: 1.3.0
zure.ResourceManager.Resources version: 1.0.0-preview.2

See also #17235 and even #11559 which are perhaps related because it is using the live dummy tenant id but that's not mentioned in the thread.

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue is related to a non-management packagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions