AttributeError: 'ChallengeAuthPolicy' object has no attribute '_credential'

[brianreumere]

• Package Name: azure-keyvault-secrets, azure-core, azure-common, azure-identity
• Package Version: 4.0.0, 1.2.0, 1.1.24, 1.2.0
• Operating System: macOS, Linux
• Python Version: 3.7.4

Describe the bug
When using the latest version of the packages listed above, I get an error AttributeError: 'ChallengeAuthPolicy' object has no attribute '_credential' when using set_secret.

To Reproduce
Set the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID environment variables.

This is a short, slightly obfuscated snippet of the script I am running in an Azure DevOps pipeline.

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url="https://my-vault.vault.azure.net/"., credential=credential)
new_secret = secret_client.set_secret('new-secret-name', 'new-secret-value')

With azure-common-1.1.24, azure-core-1.2.0, azure-identity-1.2.0, and azure-keyvault-secrets-4.0.0 I receive the error AttributeError: 'ChallengeAuthPolicy' object has no attribute '_credential' when running secret_client.set_secret (full trace is included below).

If I explicitly install previous versions, with pip install azure-keyvault-secrets==4.0.0 azure-core==1.1.0 azure-common==1.1.23 azure-identity==1.1.0, the script succeeds.

Expected behavior
The secret is created in Key Vault.

Screenshots

Traceback (most recent call last):
  File "/home/vsts/work/1/s/my-script.py", line 324, in <module>
    main()
  File "/home/vsts/work/1/s/my-script.py", line 304, in main
    access_key_secret = secret_client.set_secret(backend['secret_names'][0], new_key['access_key'])
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/tracing/decorator.py", line 71, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/keyvault/secrets/_client.py", line 112, in set_secret
    vault_base_url=self.vault_url, secret_name=name, value=value, secret_attributes=attributes, **kwargs
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/keyvault/secrets/_shared/_generated/v7_0/operations/_key_vault_client_operations.py", line 1430, in set_secret
    pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 208, in run
    return first_node.send(pipeline_request)  # type: ignore
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 80, in send
    response = self.next.send(request)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 80, in send
    response = self.next.send(request)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/_base.py", line 80, in send
    response = self.next.send(request)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/policies/_redirect.py", line 157, in send
    response = self.next.send(request)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/core/pipeline/policies/_retry.py", line 418, in send
    response = self.next.send(request)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 67, in send
    self._handle_challenge(request, challenge)
  File "/opt/hostedtoolcache/Python/3.7.5/x64/lib/python3.7/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 91, in _handle_challenge
    access_token = self._credential.get_token(scope)
AttributeError: 'ChallengeAuthPolicy' object has no attribute '_credential'

[tuckeryatesjvion]

I am able to reproduce this behavior as well, using get_secret. I have a CI / CD pipeline that pulls the most recent version of the Azure SDK and throws this error when trying to load keyvault secrets. When I run the same code on my local machine (older version of azure SDK), I do not get this error.

Thanks @brianpcurran for pointing to working versions for a temp workaround. I should probably specify a specific Azure SDK version in my pipeline anyway.

[chlowell]

Thanks for reporting this. I think I can guess the root cause, I'll take a closer look and get a fix ready.

[dbanda]

adding this to self._credential = credential to line 42 in the initializer of ChallengeAuthPolicyBase at challenge_auth_policy.py is a temporary fix.

[lmazuel]

Fix released as azure-core 1.2.1
Please let us now if there is still a problem or open a new issue.
Thanks!