Report #54939
[bug\_fix] DefaultAzureCredential failed to retrieve a token from the included credentials. EnvironmentCredential: EnvironmentCredential is unavailable. AzureCLICredential: Please run 'az login' to set up account. ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. No managed identity endpoint found.
Run \`az login\` in the terminal to authenticate the Azure CLI, which the DefaultAzureCredential will then use to obtain an access token for the logged-in user. Alternatively, set the environment variables AZURE\_CLIENT\_ID, AZURE\_CLIENT\_SECRET, and AZURE\_TENANT\_ID to use a service principal, or ensure the code is running in an Azure-hosted environment \(VM, App Service\) with a managed identity assigned.
Journey Context:
Developer writes a Python script using \`azure-identity\` and \`azure-keyvault-secrets\` to fetch a secret. The code works when deployed to an Azure VM with a managed identity assigned, but fails on their local Windows laptop with the verbose DefaultAzureCredential error. They initially think the library is broken because the error lists multiple credential types that failed. They debug by adding logging: \`logging.basicConfig\(level=logging.DEBUG\)\` and see the chain tried EnvironmentCredential \(missing AZURE\_\* env vars\), ManagedIdentityCredential \(failed to reach 169.254.169.254\), AzurePowerShellCredential \(not installed\), and AzureCLICredential \(found \`az\` binary but no cached token\). They realize DefaultAzureCredential is an opinionated chain meant to work in different environments transparently. The fix is to run \`az login\`, which opens a browser, authenticates against Azure AD, and caches the refresh token in ~/.azure/. The next script run uses AzureCLICredential successfully to get an access token for the Key Vault resource.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T22:42:28.102671+00:00— report_created — created