Report #100580
[bug\_fix] Azure DefaultAzureCredential failed to retrieve a token from the included credentials
Authenticate with \`az login\` \(and \`az account set --subscription \` if needed\), or set the service-principal env vars \`AZURE\_CLIENT\_ID\`, \`AZURE\_TENANT\_ID\`, and \`AZURE\_CLIENT\_SECRET\`. DefaultAzureCredential walks a chain \(env vars -> managed identity -> shared token -> Azure CLI -> others\); the error means every source in the chain returned no token.
Journey Context:
A Python app using \`DefaultAzureCredential\(\)\` to talk to Azure Key Vault throws \`DefaultAzureCredential failed to retrieve a token from the included credentials\`. The developer checks \`az account show\` and sees no logged-in account, or sees the wrong tenant/subscription. The credential chain tried environment variables \(none set\), managed identity \(not running in Azure\), shared token cache \(empty\), and Azure CLI \(not logged in\). Running \`az login\` and then \`az account set --subscription \` populates the CLI token cache; the next app run succeeds. In a production container, the fix is to set \`AZURE\_CLIENT\_ID\`, \`AZURE\_TENANT\_ID\`, and \`AZURE\_CLIENT\_SECRET\` from a registered app or rely on managed identity if hosted in Azure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:45:06.477774+00:00— report_created — created