DefaultAzureCredential() not working with app registration and Environment variables

Question

I have an azure function. To access a key vault it uses a managedIdentity when running in the cloud but when running locally I am trying to use a service principal.

var credential = new DefaultAzureCredential();

I constantly get the error:

DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

Drilling down in the credential object, i see the following error for the Environment Credential:

EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot

I must be missing a step, so would appreciate some assistance. The steps i have taken so far are:

1. create an app registration & secret.
2. copy out the client_ID, Tenant_ID & Secret_Value, and place them in environment variables on my pc. I tried with both user and system variables. I can see via logging code that Visual studio can read the variables.
3. I grant the app registration read privileges on the key vault.

Before even looking at the keyvault however, when generating the credential, the error is thrown.

I would appreciate some input as to why this might be happening.

Other notes:

• I cannot use an AD Account as all accounts use MFA.
• I have tried this on multiple different networks to ensure its not a firewall issue.

Answer 1

I have got same error so I have modified code and used below code with which i am able to retrieve the secret:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Extensions.Logging;

namespace FunctionApp136
{
    public class Function1
    {
        private readonly ILogger<Function1> _logger;

        public Function1(ILogger<Function1> logger)
        {
            _logger = logger;
        }

        [Function("Function1")]
        public IActionResult Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequest req)
        {
            _logger.LogInformation("C# HTTP trigger function processed a request.");

            string rith_clientId = Environment.GetEnvironmentVariable("RITH_CLIENT_ID", EnvironmentVariableTarget.User);
            string rith_clientSecret = Environment.GetEnvironmentVariable("RITH_SECRET", EnvironmentVariableTarget.User);
            string rith_tenantId = Environment.GetEnvironmentVariable("RITH_TENANT_ID", EnvironmentVariableTarget.User);

            var credential = new ClientSecretCredential(rith_tenantId, rith_clientId, rith_clientSecret);
            var vaultUrl = "https://testvaultvb.vault.azure.net/";
            var rith_client = new SecretClient(new Uri(vaultUrl), credential);
            var rith_Keyvault_secret = "test";
            KeyVaultSecret rithout = rith_client.GetSecret(rith_Keyvault_secret);

            Console.WriteLine("Secret is:  " + rithout.Value);
            return new OkObjectResult("Welcome to Azure Functions!");
        }
    }
}

In above code I have taken environment variable value from user. To get value from System Variables use this Environment.GetEnvironmentVariable("RITH_CLIENT_ID", EnvironmentVariableTarget.Machine);

You need to use Machine In place of User.

Output: