ManagedIdentityCredential authentication unavailable, no managed identity endpoint found

Question

Im trying to allow an app service (python) to get secrets from azure keyvault without the usage of hardcoded client id/secrets, therefore I`m trying to use ManagedIdentity.

1. I have enabled system & user assigned functions in my service app
2. I have created a policy in vault where the service app is granted access to the secrets

code:

credentials_object = ManagedIdentityCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credentials_object)
value = client.get_secret('MYKEY').value

error (when app is deployed and when running locally):

azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.

What am I missing? Thank you!

Answer 1

It's important to understand that Managed Identity feature in Azure is ONLY relevant when, in this case, the App Service is deployed. This would mean you would probably want to use DefaultAzureCredential() from the Azure.Identity library which is compatible both when running locally and for the deployed web app.

This class will run down the hierarchy of possible authentication methods and when running locally I prefer to use a service principal. Run the following in Azure CLI to create a service principal: az ad sp create-for-rbac --name localtest-sp-rbac --skip-assignment. You then add the service principal localtest-sp-rbac in the IAM for the required Azure services.

I recommend reading this article for more information and how to configure your local environment: https://learn.microsoft.com/en-us/azure/developer/python/configure-local-development-environment

You can see the list of credential types that DefaultAzureCredential() goes through in the Azure docs.