Open
Description
- Package Name: azure-keyvault-secrets
- Package Version: 4.10.0
- Operating System: Ubuntu 20.04.6 LTS
- Python Version: Python 3.12.10 (main, May 22 2025, 01:59:14) [Clang 20.1.4 ] on linux
Describe the bug
When running on an AML Compute node, using AzureCliCredential, calling get_secret on a key vault, we get this error:
ClientAuthenticationError: ERROR: Tenant shouldn't be specified for managed identity account
It appears that when receiving the challenge, it passes the tenant_id to az account get-token and it doesn't like that.
To Reproduce
Steps to reproduce the behavior:
- Login via az cli:
az login -i --client-id $DEFAULT_IDENTITY_CLIENT_ID - Run this:
cred = azure.identity.AzureCliCredential()
secret_cli = SecretClient(f"https://{my_kv_name}.vault.azure.net", cred)
secret = secret_cli.get_secret(my_secret_name) # Boom!Note that az keyvault secret show works fine.
Expected behavior
That get_secret call works.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Metadata
Metadata
Assignees
Labels
This issue points to a problem in the data-plane of the library.Issues that are reported by GitHub users external to the Azure organization.Workflow: This issue needs attention from Azure service team or SDK teamThe issue doesn't require a change to the product in order to be resolved. Most issues start as that