devgonvarun opened a new issue, #59135:
URL: https://github.com/apache/airflow/issues/59135
### Apache Airflow Provider(s)
microsoft-azure
### Versions of Apache Airflow Providers
_No response_
### Apache Airflow version
3.1.3
### Operating System
Debian GNU/Linux 12 (bookworm)
### Deployment
Official Apache Airflow Helm Chart
### Deployment details
_No response_
### What happened
ManagedIdentityCredential using workload identity authentication works for
DefaultAzureCredential when using the azure-storage-blob + azure-identity but
not using apache-airflow-providers-microsoft-azure.
### What you think should happen instead
DefaultAzureCredential should work for
apache-airflow-providers-microsoft-azure when its working for azure blob
storage python client.
### How to reproduce
Create two tasks which require authenticating to blob storage one using
airflow azure provider and second directly from azure blob storage python
client. In both cases authenticate via DefaultAzureCredential using env vars
AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE.
azure blob storage python client authenticates and works as expected.
```
@task
def az_identity_list_blobs():
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
default_credential = DefaultAzureCredential()
client = BlobServiceClient(account_url, credential=default_credential)
container_client = client.get_container_client(container_name)
blob_list = container_client.list_blobs()
for blob in blob_list:
print("\t" + blob.name)
```
whereas airflow azure provider task will fail to authenticate despite using
DefaultAzureCredential also.
```
@task
def az_provider_connection():
from airflow.providers.microsoft.azure.hooks.wasb import WasbHook
try:
conn = WasbHook()
blobs = conn.get_blobs_list(container_name=container_name)
print(f"Blobs in container : {blobs}")
except Exception as e:
print(f"Blob connection failed: {str(e)}")
```
first of all it does not use the AZURE_CLIENT_ID, AZURE_TENANT_ID env vars
and one needs to create a blank wasb_default connection with the
managed_identity_client_id, workload_identity_tenant_id filled in the Extra
Fields for it to even find the correct client and tenant ids. But even then it
fails to matching federated identity record.
```
[2025-12-06 15:33:51] INFO - Using DefaultAzureCredential as credential
source=airflow.task.hooks.airflow.providers.microsoft.azure.hooks.wasb.WasbHook
loc=wasb.py:223
[2025-12-06 15:33:51] WARNING - DefaultAzureCredential failed to retrieve a
token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication
unavailable. Environment variables are not fully configured.
Visit
https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to
troubleshoot this issue.
WorkloadIdentityCredential: Microsoft Entra ID error '(invalid_client)
AADSTS700213: No matching federated identity record found for presented
assertion subject 'system:serviceaccount:airflowadmins:airflowdev-worker'.
Check your federated identity credential Subject, Audience and Issuer against
the presented assertion.
https://learn.microsoft.com/entra/workload-id/workload-identity-federation
Trace ID: 64bccc63-528c-404d-acaf-266ee4c80300 Correlation ID:
c26fe0bc-a6a3-4a49-a2f9-b208b2334ccd Timestamp: 2025-12-06 14:33:51Z'
Content: {"error":"invalid_client","error_description":"AADSTS700213: No
matching federated identity record found for presented assertion subject
'system:serviceaccount:airflowadmins:airflowdev-worker'. Check your federated
identity credential Subject, Audience and Issuer against the presented
assertion.
https://learn.microsoft.com/entra/workload-id/workload-identity-federation
Trace ID: 64bccc63-528c-404d-acaf-266ee4c80300 Correlation ID:
c26fe0bc-a6a3-4a49-a2f9-b208b2334ccd Timestamp: 2025-12-06
14:33:51Z","error_codes":[700213],"timestamp":"2025-12-06
14:33:51Z","trace_id":"64bccc63-528c-404d-acaf-266ee4c80300","correlation_id":"c26fe0bc-a6a3-4a49-a2f9-b208b2334ccd","error_uri":"https://login.microsoftonline.com/error?code=700213"}
To mitigate this issue, please refer to the troubleshooting guidelines here
at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
source=azure.identity._credentials.chained loc=chained.py:224
```
whereas the DefaultAzureCredential with the same env variables works when
using azure blob storage python client.
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
