Unable to authenticate to Azure GraphRBAC using DefaultAzureCredential OR CredentialWrapper

[bensussman]

• Package Name: azure-graphrbac
• Package Version: 0.61.1
• Operating System: Mac OS 10.14.6
• Python Version: Python 3.7.6

Describe the bug
We are unable to use the DefaultAzureCredential OR the CredentialWrapper class (cred_wrapper.py) to authenticate the graphrbac client to create an App, Service Principal, and secret key.

NOTE: I am able to get the API to work if i use UserPassCredentials instead.

To Reproduce
Steps to reproduce the behavior:

1. Log into azure using the azure cli locally.
2. Run python, import azure-graphrbac, and then use DefaultAzureCredential or the CredentialWrapper class (cred_wrapper.py) to create a credential object with the currently-logged-in-user credentials.
3. These credentials are valid to do other azure operations (for example creating a Blob storage container), but when used with graphrbac to create an App, it prints the following error:

azure.graphrbac.models.graph_error_py3.GraphErrorException: Access Token missing or malformed.

Expected behavior
I expect the DefaultAzureCredential or the CredentialWrapper class (cred_wrapper.py) to return credentials that are valid for graphrbac.

Additional context
In addition, this entire Python API is (admittedly newly) legacy and is being deprecated in favor of the Microsoft Graph API here https://docs.microsoft.com/en-us/graph/api/application-post-applications . However there does not seem to be a Python API client that allows us to use this new API yet...

[jeking3]

@bensussman have you tried https://github.com/microsoftgraph/msgraph-sdk-python-core ?

[srusun]

@jeking3 I was able to figure out how to use the GraphRBAC Client with the DefaultAzureCredential. However, when trying to use the new Microsoft Graph API, I ran into a 503 error - "503 Server Error: Service Unavailable for url: https://graph.microsoft.com/v1.0/applications". The response body was as follows,

{
  "error": {
    "code": "Service_ServiceUnavailable",
    "message": "Service is temporarily unavailable. Please wait and retry again.",
    "innerError": {
      "date": "2020-10-06T19:47:59",
      "request-id": ".."
      "client-request-id": ".."
    }
  }
}

[bensussman]

The issue is one of inconsistent permissions and missing API client methods in the SDK. The goal is:

1. Create a permissions object authenticated to the current logged in azure account (normally the azure cli)
2. Use that permissions object to create an App + Service Principal in that app
3. Use that permissions object to create a Client Secret for use authenticating our system as the newly created App/SP.
4. Use that permissions object to create a Custom Role to bind / attach to the SP created in 3
5. Use that permissions object to create a Resource Group, Storage Account (and storage container inside it), VNet, etc.

Here is a code sample:

# credentials work for most resources (the ones listed in 6) above.
# NOTE The AzureIdentityCredentialAdapter() function is defined here: https://github.com/jongio/azidext/blob/master/python/azure_identity_credential_adapter.py
credentials = AzureIdentityCredentialAdapter()
credentials.set_token()
# graph_credentials work ONLY for creating the "Client Secret" from 4 above. 
graph_credentials = AzureIdentityCredentialAdapter(
    resource_id="https://graph.microsoft.com/"
)
graph_credentials.set_token()

# This is the best way (and it's not very good!) we could find to build a client that can create an App/SP
# NOTE it does NOT USE the standard credentials, nor the "graph" credentials.
# This seems like a bug or design flaw!
from azure.common.client_factory import get_client_from_cli_profile
from azure.graphrbac import GraphRbacManagementClient
graphrbac_client = get_client_from_cli_profile(GraphRbacManagementClient)
app = graphrbac_client.applications.create(
    {"available_to_other_tenants": False, "display_name": service_principal_name}
)
sp = graphrbac_client.service_principals.create({"app_id": app.app_id, "account_enabled": True})

# To create the client secret, we use the graph_credentials created at the top, and importantly:
# we go STRAIGHT TO HTTP!! 
# We were UNABLE to find an azure-sdk-for-python solution that supported this endpoint.
# This seems like a bug or a design flaw!
header = {
    "Content-Type": "application/json",
    "Authorization": "Bearer {}".format(graph_credentials.token["access_token"]),
}
url = "https://graph.microsoft.com/v1.0/servicePrincipals/{}/addPassword".format(sp.object_id)
payload = {
    "passwordCredential": {"displayName": "newlyCreatedClientSecret"},
}
response = requests.post(url, data=json.dumps(payload), headers=header)
response.raise_for_status()
secret_info = json.loads(response.text)

# To create a custom role, we use the standard credentials created at the top, and importantly:
# we go STRAIGHT TO HTTP!! 
# We were UNABLE to find an azure-sdk-for-python solution that supported this endpoint.
# This seems like a bug or a design flaw!
from azure.mgmt.authorization import AuthorizationManagementClient
authorization_client = AuthorizationManagementClient(credentials, subscription_id)
role_definition_id = str(uuid.uuid4())
header = {
    "Content-Type": "application/json",
    "Authorization": "Bearer {}".format(credentials.token["access_token"]),
}
role_name = "RoleName"
scope = "subscriptions/{}".format(subscription_id)
url = (
    "https://management.azure.com/{}/providers/Microsoft.Authorization/"
    "roleDefinitions/{}?api-version=2015-07-01".format(scope, role_definition_id)
)
payload = {
    "name": role_definition_id,
    "properties": {
        "roleName": role_name,
        "description": "lorem ipsum",
        "type": "CustomRole",
        "permissions": [{"actions": required_permissions}],
        "assignableScopes": [scope],
    },
}
response = requests.put(url, data=json.dumps(payload), headers=header)
response.raise_for_status()
roles = list(
    authorization_client.role_definitions.list(
        group_id, filter="roleName eq '{}'".format(role_name)
    )
)
assert len(roles) == 1, (
    "Found unexpected number of roles ({}) with name {}. "
    "Expected exactly 1".format(len(roles), role_name)
)
created_role = roles[0]

# Assign Custom Role to Service Principal. We *are* able to do this from the azure-sdk-for-python thankfully
authorization_client.role_assignments.create(
    group_id,
    uuid.uuid4(),
    {
        "role_definition_id": created_role.id,
        "principal_id": object_id,
        "principal_type": "ServicePrincipal",
    },
)

# Create a resource group uses the normal credentials. We *are* able to do this from the azure-sdk-for-python thankfully
resource_client = ResourceManagementClient(credentials, subscription_id)
resource_group = resource_client.resource_groups.create_or_update(
    resource_group_name, {"location": region}
)

As you can see from the detailed example above, the azure-sdk-for python is missing valuable APIs, and is missing a clear credential provider that can be used consistently. There are THREE credentials used:

1. wrapper standard
2. wrapper with graph resource_id
3. get_client_from_cli_profile()

I believe that we can replace 3 above with 2, however it requires us to provide the tenant_id which we don't seem to be able to query the API for a list of valid values, and we were hoping to avoid prompting the user for this value if we can avoid it.

ANOTHER Important thing to note:

To create the App above we use the Graph RBAC client like so:

graphrbac_client = get_client_from_cli_profile(GraphRbacManagementClient)
app = graphrbac_client.applications.create(
    {"available_to_other_tenants": False, "display_name": service_principal_name}
)
sp = graphrbac_client.service_principals.create({"app_id": app.app_id, "account_enabled": True})

However this is the LEGACY API, instead we should be using the new Microsoft Graph REST API, but we are seeing that this API just returns 500 errors consistently, so we had to fall back to the legacy API.

[bensussman]

Any update on this @lmazuel or @jeking3