Report #47561
[bug\_fix] DefaultAzureCredential failed to retrieve a token from the included credentials
Run \`az login\` in the local development environment. For Azure-hosted resources \(VMs, App Service, ACI\), enable System-assigned Managed Identity and grant it the necessary RBAC roles. For CI/CD pipelines, set the AZURE\_CLIENT\_ID, AZURE\_CLIENT\_SECRET, and AZURE\_TENANT\_ID environment variables for a Service Principal, or use the azure/login GitHub Action. Root cause: The DefaultAzureCredential exhausted its entire provider chain \(EnvironmentCredential → ManagedIdentityCredential → SharedTokenCacheCredential → AzureCliCredential → AzurePowerShellCredential → AzureDeveloperCliCredential\) without obtaining a valid access token.
Journey Context:
Developer writes a Python app using the Azure SDK: \`from azure.identity import DefaultAzureCredential; credential = DefaultAzureCredential\(\)\`. It works on their laptop because they ran \`az login\` yesterday. They build a Docker image and push to Azure Container Instances. The container logs show 'DefaultAzureCredential failed to retrieve a token from the included credentials. Tried EnvironmentCredential: EnvironmentCredential authentication unavailable. ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint'. They realize ACI doesn't have Managed Identity enabled by default. They enable it in the portal but forget to assign the 'Storage Blob Data Reader' role to the identity. The credential succeeds in getting a token \(IMDS responds\), but the token has no permissions. They assign the RBAC role and the app works.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T10:18:47.080126+00:00— report_created — created