Invalid scope for ComputeManagementClient for Azure US Government account?

Question

I'm trying to create a simple script that lists out the virtual machines on my Azure US Government account. However, I am faced with this error:

azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    VisualStudioCodeCredential: Azure Active Directory error '(invalid_scope) AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.azure.com/.default https://management.core.usgovcloudapi.net/.default is not valid. static scope limit exceeded.

This is the code I have used:

def get_access_to_virtual_machine():
    subscription_id = key.SUBSCRIPTION_ID
    credentials = DefaultAzureCredential(authority = AZURE_US_GOV_CLOUD.endpoints.active_directory, 
                                        tenant_id = key.TENANT_ID,
                                        exclude_environment_credential = True,
                                        exclude_managed_identity_credential = True,
                                        exclude_shared_token_cache_credential = True)               
    compute_client = ComputeManagementClient(credential = credentials, 
                                            subscription_id = subscription_id, 
                                            base_url = AZURE_US_GOV_CLOUD.endpoints.resource_manager,
                                            credential_scopes = [AZURE_US_GOV_CLOUD.endpoints.active_directory_resource_id + '.default'])
    return compute_client

def get_azure_vm(resource_group_name, virtual_machine_name):
    compute_client = get_access_to_virtual_machine()
    vm_data = compute_client.virtual_machines.get(resource_group_name, 
                                                virtual_machine_name, 
                                                expand = 'instanceView')
    return vm_data

I have signed into my Azure US Government account using Visual Studio as well. The error stems from the compute_client.virtual_machines.get() command. I am 100% sure the credentials I am using are correct but I am really stuck on this. I've tried using ClientSecretCredential instead of DefaultAzureCredential and ran into the same ClientAuthenticationError. In addition, I'm not sure where this scope parameter that the error mentions should be passed in.

Answer 1

Not sure which version of the Python SDK you have, but I was able to load the latest modules and get the following code to run in the Azure US Government cloud and pull back VM data:

import os
from msrestazure.azure_cloud import AZURE_US_GOV_CLOUD as CLOUD
from azure.mgmt.compute import ComputeManagementClient
from azure.identity import DefaultAzureCredential

subscription_id = 'xxx-xxx-xxx-xxxx'
tenant_id = 'xxxx-xxxx-xxxx-xxxx'
resource_group_name = 'rgName'
vm_name = 'vmName'

credential = DefaultAzureCredential(
    authority=CLOUD.endpoints.active_directory, 
    tenant_id=tenant_id)

compute_client = ComputeManagementClient(
    credential, subscription_id, 
    base_url=CLOUD.endpoints.resource_manager,
    credential_scopes=[CLOUD.endpoints.resource_manager + '/.default'])

vm_data = compute_client.virtual_machines.get(
    resource_group_name, 
    vm_name, 
    expand = 'instanceView')

print(f"{vm_data.name}")

Some things to note:

• You had a few of the authentication methods set as excluded, you may want to ensure the method you are expecting is not excluded
• The latest SDK sets the environment in the import, I set it to "CLOUD" so that the same code can be used for various cloud by simply changing the import statement
• The latest SDK does seem to want '/.default' as part of the credential_scopes

Answer 2

For Azure Subscriptions management, the scope should be {management-endpoint}/user_impersonation and not {management-endpoint}/.default. For example, in Azure Commercial the scope will be https://management.azure.com/user_impersonation.

I'm not 100% sure but the management endpoint for Azure Government is either https://management.usgovcloudapi.net/ or https://management.core.usgovcloudapi.net/. Based on the correct endpoint, your scope value should be either https://management.usgovcloudapi.net/user_impersonation or https://management.core.usgovcloudapi.net/user_impersonation.

Please try by changing that.

UPDATE

Looking at the GitHub issue here, it seems there's an issue with the SDK itself. Please try the solution proposed here.