WorkloadIdentityCredential missing in DefaultAzureCredential

[alsastre]

• Package Name: azure-identity
• Package Version: 1.16.0
• Operating System: Linux
• Python Version: 3.12.3

Describe the bug
According to the documentation WorkloadIdentityCredential is included on the Default Credential which is not.

To Reproduce
Steps to reproduce the behavior:

1. Given the following env vars:

• AZURE_CLIENT_ID
• AZURE_TENANT_ID
• AZURE_FEDERATED_TOKEN_FILE

The following code fails to obtain a valid credential

credential = WorkloadIdentityCredential()

And the following does

credential = WorkloadIdentityCredential()

Expected behavior
I would expect that if the exclude_workload_identity_credential is not provided, Workload identity should work with Default Credential.

Screenshots
Stacktrace upon failing:

	EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
	ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource. Error: Unexpected response "{'error': 'invalid_request', 'error_description': 'Identity not found'}"
	SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
	AzureCliCredential: Azure CLI not found on path
	AzurePowerShellCredential: PowerShell is not installed
	AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Traceback (most recent call last):
  File "/opt/docker/generate-template.py", line 41, in <module>
Processing templates for mx-datagendbflex-acc1-kyc-westeurope...
    instance['client_keys'] = get_secrets(instance['client_keys'])
  File "/opt/docker/generate-template.py", line 16, in get_secrets
    res.update({user: client.get_secret(secret).value})
  File "/usr/local/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_client.py", line 64, in get_secret
    bundle = self._client.get_secret(
  File "/usr/local/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_generated/_operations/_operations.py", line 751, in get_secret
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 230, in run
    return first_node.send(pipeline_request)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  [Previous line repeated 2 more times]
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
    response = self.next.send(request)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_retry.py", line 531, in send
    response = self.next.send(request)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 135, in send
    request_authorized = self.on_challenge(request, response)
  File "/usr/local/lib/python3.10/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 137, in on_challenge
    self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
  File "/usr/local/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 113, in authorize_request
    self._token = self._credential.get_token(*scopes, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/azure/identity/_credentials/default.py", line 225, in get_token
    token = super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/azure/identity/_credentials/chained.py", line 124, in get_token
    raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
	EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
	ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource. Error: Unexpected response "{'error': 'invalid_request', 'error_description': 'Identity not found'}"
	SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
	AzureCliCredential: Azure CLI not found on path
	AzurePowerShellCredential: PowerShell is not installed
	AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

Additional context
For anyone trying to setup Workload Identity with Azure pipelines, this setup with which I managed to perform login on an Azure Devops Task pipeline:

  - task: AzureCLI@2
    displayName: "Generate templates"
    inputs:
      addSpnToEnvironment: true
      azureSubscription: ${{ parameters.sc }}
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        echo "$idToken" > /shared-data/tokenfile.json
        docker run --rm \
          -v /shared-data/tokenfile.json:/opt/docker/tokenfile.json  \
          -e "AZURE_CLIENT_ID=$servicePrincipalId" \
          -e "AZURE_TENANT_ID=$tenantId" \
          -e "AZURE_FEDERATED_TOKEN_FILE=/opt/docker/tokenfile.json" \
          mytemplategeneratorimage:${{ parameters.generatorVersion }}

and on my mytemplategeneratorimage the following python code.

credential = WorkloadIdentityCredential()

Although it seems they have recently implemented #32143 which would also work (but also is not included in the DefaultAzureCredential helper) but that is not yet released nor the documentation updated

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[xiangyan99]

Thanks for reaching out.

In order to make WorkloadIdentity in DefaultAzureCredential, please also set the env var AZURE_AUTHORITY_HOST .

[github-actions]

Hi @alsastre. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[github-actions]

Hi @alsastre, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.