Reputation: 355
GraphRbacManagementClient.applications.create() returns Access Token missing or malformed
We're trying to create an Azure application registration using the Python SDK (v2.0) and the current user's CLI credentials.
from azure.common.credentials import get_azure_cli_credentials
from azure.graphrbac import GraphRbacManagementClient
credentials, subscription_id = get_azure_cli_credentials()
client = GraphRbacManagementClient(credentials, 'my-tenant-id')
app_parameters = {
'available_to_other_tenants': False,
'display_name': 'my-app-name',
'identifier_uris': ['http://my-app-name.com']
}
app = client.applications.create(app_parameters)
But this returns
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/my-app-code/.venv/lib/python3.6/site-packages/azure/graphrbac/operations/applications_operations.py", line 86, in create
raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Access Token missing or malformed.
We noted that we can avoid this error when using ServicePrincipalCredentials by including resource='https://graph.windows.net' in the constructor, but there doesn't seem to be an equivalent way to do this when using get_azure_cli_credentials().
Are we doing something wrong, or should this work?
Please do not reply that we should be using ServicePrincipalCredentials. Our use case is explicitly that the interactive user can create/register an Azure application using the Python SDK.
Upvotes: 1
Views: 1071
Answers (2)
Reputation: 327
You can get the credentials and tenant_id at once and create an client line this:
from azure.common.credentials import get_azure_cli_credentials
from azure.graphrbac import GraphRbacManagementClient
cred, _, tenant_id = get_azure_cli_credentials(
resource='https://graph.windows.net',
with_tenant=True)
client = GraphRbacManagementClient(cred, tenant_id)
This works like a charm.
Note that this api is deprecated. Favour the new Microsoft Graph (over Azure AD Graph).
Upvotes: 0
Reputation: 3546
get_azure_cli_credentials is indeed not able yet to provide you a Credentials class with a "resource" definition different than ARM for now (now being: azure-common 1.1.10 and below)
You can workaround by doing:
from azure.common.credentials import get_cli_profile
profile = get_cli_profile()
cred, subscription_id, _ = profile.get_login_credentials(resource='https://graph.windows.net')
Please create an issue on https://github.com/Azure/azure-sdk-for-python, with a link to this SO, and I will try to do it for the next release of azure-common.
(I work at MS and own this code)
Edit: Released part of 1.1.11 https://pypi.org/project/azure-common/1.1.11/
from azure.common.credentials import get_azure_cli_credentials
cred, subscription_id = get_azure_cli_credentials(resource='https://graph.windows.net')
Upvotes: 6
Related Questions
- Microsoft graph return "access token is empty"
- AADSTS70003: The app requested an unsupported grant type 'client_credential'
- Microsoft Graph API Python SDK "Insufficient privileges to complete the operation."
- Connect to Microsoft Graph via Access Token
- Add Graph API via az ad app permission fails
- Token Generation with /oauth2/token MS Azure API returns AADSTS50034 error
- Microsoft Graph API: Authorization_IdentityNotFound
- Can't figure out why my azure python-webapp-graph-api won't recognize my tenant ID
- Python Azure Graph: Access Token missing or malformed
- MS Graph API: invalid authentication token