v1 breaks with Error: Login failed
kantkrishan opened this issue · comments
Since 30 min or so, All our pipelines have started breaking which are using
azure/login@v1
Since the redirection is happening to v1.5.1. I tried it to revert back to an older version i.e. azure/login@v1.4.7
and it started working again.
Here are the error message i am getting with using v1.
Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Attempting Azure CLI login by using service principal with secret...
Error: The subscription of '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' doesn't exist in cloud 'AzureCloud'.
Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
##[debug]Error: The process '/usr/bin/az' failed with exit code 1
Can you please check what might have caused this?
Hi @kantkrishan , please ping to v1.4.6
first.
Could you please provide your workflow file and the debug log of your failed run? Please mask the information if necessary.
we are using it via reusable workflow so sharing the caller workflow and the reusable workflow both along with logs. Let me know if you need any other detail. i will try with v1.4.6 and will let you know. We would really appreciate if it can be made to work with v1 itself since we are using it at several places and changing the version will be tedious.
caller workflow:
# Need to setup Secrets and add steps similar to the Jenkins build
# If using jfrog instead of ECR , need a setup for a docker repo and access token
name: sitecore10-build-image-ci
on:
push:
branches:
- dso-cicd-cd-base
workflow_dispatch:
inputs:
logLevel:
description: 'Log level'
required: true
default: 'warning'
#retrigger job
permissions:
id-token: write # This is required for requesting the JWT
contents: write # This is required for actions/checkout
issues: write
jobs:
KD-Sitecore-Reusable-workflow:
uses: bcg-cpe-devsecops-shared/github-action-reusable-workflows/.github/workflows/kd-sitecore-image-build.yaml@sitecore
with:
service_name: 'sitecore10-build-cdbase'
branch: ${{ github.event.inputs.Branch }}
docker_registry: 'bcgprod.jfrog.io'
docker_image: 'bcgprod.jfrog.io/bcg-kd-sitecore-docker-virtual/sitecore10-build-cmbase'
#Azure Key vault Variables
key_array: 'KD-SITECORE-DOCKER-USERNAME,KD-SITECORE-DOCKER-PASSWORD,OCTOPUS-HOST,OCTOPUS-API-KEY'
run_number: ${{ github.run_number }}
secrets:
#AKV secrets
azure_secret: ${{ secrets.AKV_SECRET }}
vault_name: ${{ secrets.AKV_VAULT_NAME }}
Reusable Workflow:
name: Sitecore image builder Reusable workflow
on:
workflow_call:
inputs:
branch:
required: true
type: string
key_array:
required: true
type: string
docker_registry:
required: true
type: string
docker_image:
required: true
type: string
dockerfile_path:
required: false
type: string
default: '.'
service_name:
required: true
type: string
tag_prefix:
type: string
required: false
default: "release-"
run_number:
type: string
required: true
release_branch:
type: string
required: false
default: ""
custom_runner_name:
type: string
required: false
default: "ubuntu-20.04"
cache_path:
type: string
required: false
default: ""
secrets:
azure_secret:
required: true
vault_name:
required: true
jobs:
Set-Version:
runs-on: ubuntu-latest
outputs:
VERSION_NUM: ${{ steps.set-semantic-version.outputs.VERSION_NUM }}
TAG_VERSION: ${{ steps.set-semantic-version.outputs.TAG_VERSION }}
CHANNEL_NAME: ${{ steps.set-semantic-version.outputs.CHANNEL_NAME }}
steps:
# Login to azure key vault
- name: Azure Login via Creds
uses: azure/login@v1
with:
creds: ${{ secrets.azure_secret }}
allow-no-subscriptions: true
# Read secrets from azure key vault
- name: Azure Get Secret
uses: bcg-cpe-devsecops-shared/get-keyvault-secrets@v1
with:
keyvault: ${{ secrets.vault_name }}
secrets: '${{ inputs.key_array }}'
- name: DISPLAY CI REFS
run: |
echo ${{ secrets.vault_name }} | sed 's/./& /g'
echo ${{ env.OCTOPUS-HOST }} | sed 's/./& /g'
echo ${{ env.KD-SITECORE-DOCKER-USERNAME }} | sed 's/./& /g'
echo ${{ env.KD-SITECORE-NUGET-USER }} | sed 's/./& /g'
- name: Checkout Code
uses: bcg-ep-smp/github-action-composite-actions/Checkout@develop
with:
branch: '${{ inputs.branch }}'
- name: Set Semantic Version
id: set-semantic-version
uses: bcg-ep-smp/github-action-composite-actions/SemanticVersion@develop
with:
tag_prefix: '${{ inputs.tag_prefix }}'
branch: '${{ env.DYN_BRANCH }}'
run_number: '${{ inputs.run_number }}'
release_branch: '${{ inputs.release_branch }}'
Docker-Build-Push:
needs: Set-Version
runs-on: windows-2019
env:
VERSION_NUM: ${{ needs.Set-Version.outputs.VERSION_NUM }}
TAG_VERSION: ${{ needs.Set-Version.outputs.TAG_VERSION }}
CHANNEL: ${{ needs.Set-Version.outputs.CHANNEL_NAME }}
steps:
- name: Add msbuild to PATH
uses: microsoft/setup-msbuild@v1.1
- uses: nuget/setup-nuget@v1
with:
nuget-version: '6.x'
# Login to azure key vault
- name: Azure Login via Creds
uses: azure/login@v1
with:
creds: ${{ secrets.azure_secret }}
allow-no-subscriptions: true
# Read secrets from azure key vault
- name: Azure Get Secret
uses: bcg-cpe-devsecops-shared/get-keyvault-secrets@v1
with:
keyvault: ${{ secrets.vault_name }}
secrets: '${{ inputs.key_array }}'
- name: Checkout Code
uses: bcg-ep-smp/github-action-composite-actions/Checkout@develop
with:
branch: '${{ inputs.branch }}'
- name: Configure nuget
if: env.KD-SITECORE-NUGET-USER != '' && env.KD-SITECORE-NUGET-TOKEN != ''
run: |
nuget sources list
$nugetrepo = nuget sources list | findstr nuget.org
if($nugetrepo -ne "") {
nuget sources disable -name nuget.org
}
$jfrogrepo =nuget sources list | findstr sitecore-nuget
if($jfrogrepo -eq "" -or $jfrogrepo -eq $null) {
nuget sources add -name sitecore-nuget -source https://bcgprod.jfrog.io/artifactory/api/nuget/v3/bcg-kd-sitecore-nuget-virtual
}
nuget sources update -name sitecore-nuget -Username ${{ env.KD-SITECORE-NUGET-USER }} -Password ${{ env.KD-SITECORE-NUGET-TOKEN }}
- uses: actions/cache/restore@v3
id: restore-cache
if: inputs.cache_path != ''
with:
path: ${{ inputs.cache_path }}
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.config') }}
- name: Run ci-scripts/build.ps1
run: |
$branch_name = "${{ env.DYN_BRANCH }}"
pwsh ./ci-scripts/build.ps1 $branch_name
- uses: actions/cache/save@v3
if: steps.restore-cache.outputs.cache-hit != 'true' && inputs.cache_path != ''
with:
path: ${{ inputs.cache_path }}
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.config') }}
# - name: Login to DockerHub
# uses: docker/login-action@v2
# with:
# registry: ${{ inputs.docker_registry }}
# username: ${{ env.KD-SITECORE-DOCKER-USERNAME }}
# password: ${{ env.KD-SITECORE-DOCKER-PASSWORD }}
# Build the docker image and extract code for veracode scanning
- name: docker-build
run: |
docker build -t ${{ inputs.docker_image }}:${{ env.VERSION_NUM }} -t ${{ inputs.docker_image }}:latest .
# - name: DockerPush
# uses: bcg-ep-smp/github-action-composite-actions/DockerPush@develop
# with:
# docker_image: ${{ inputs.docker_image }}
# docker_registry: ${{ inputs.docker_registry }}
# dockerfile_path: ${{ inputs.dockerfile_path }}
# - run: |
# echo "::notice::published ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}"
# Push the docker image to JFrog Artifactory
- name: docker-push
run: |
docker login ${{ inputs.docker_registry }} -u ${{ env.KD-SITECORE-DOCKER-USERNAME }} -p ${{ env.KD-SITECORE-DOCKER-PASSWORD }}
docker push ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}
echo "::notice::published ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}"
Detailed logs:
logs_32.zip
Copy the error log from attatchment to here:
2023-12-05T07:23:57.2437343Z ##[debug]Starting: Azure Login via Creds
2023-12-05T07:23:57.2758089Z ##[debug]Loading inputs
2023-12-05T07:23:57.2800932Z ##[debug]Evaluating: secrets.azure_secret
2023-12-05T07:23:57.2802472Z ##[debug]Evaluating Index:
2023-12-05T07:23:57.2805338Z ##[debug]..Evaluating secrets:
2023-12-05T07:23:57.2806884Z ##[debug]..=> Object
2023-12-05T07:23:57.2824559Z ##[debug]..Evaluating String:
2023-12-05T07:23:57.2825726Z ##[debug]..=> 'azure_secret'
2023-12-05T07:23:57.2831053Z ##[debug]=> '***
2023-12-05T07:23:57.2831792Z ##[debug] ***
2023-12-05T07:23:57.2832619Z ##[debug] ***
2023-12-05T07:23:57.2833362Z ##[debug] ***
2023-12-05T07:23:57.2834022Z ##[debug] ***
2023-12-05T07:23:57.2834577Z ##[debug]***'
2023-12-05T07:23:57.2836619Z ##[debug]Result: '***
2023-12-05T07:23:57.2837356Z ##[debug] ***
2023-12-05T07:23:57.2838131Z ##[debug] ***
2023-12-05T07:23:57.2839079Z ##[debug] ***
2023-12-05T07:23:57.2839735Z ##[debug] ***
2023-12-05T07:23:57.2840207Z ##[debug]***'
2023-12-05T07:23:57.2853912Z ##[debug]Loading env
2023-12-05T07:23:57.2975502Z ##[group]Run azure/login@v1
2023-12-05T07:23:57.2976174Z with:
2023-12-05T07:23:57.2978382Z creds: ***
2023-12-05T07:23:57.2978914Z allow-no-subscriptions: true
2023-12-05T07:23:57.2979568Z enable-AzPSSession: false
2023-12-05T07:23:57.2980184Z environment: azurecloud
2023-12-05T07:23:57.2980817Z audience: api://AzureADTokenExchange
2023-12-05T07:23:57.2981757Z auth-type: SERVICE_PRINCIPAL
2023-12-05T07:23:57.2982398Z ##[endgroup]
2023-12-05T07:23:57.6651781Z ##[debug]Reading creds in JSON...
2023-12-05T07:23:57.6653413Z ##[debug]Cannot find key: $.resourceManagerEndpointUrl
2023-12-05T07:23:57.6669905Z ::add-mask::***
2023-12-05T07:23:57.6672718Z ::add-mask::***
2023-12-05T07:23:57.6675186Z Running Azure CLI Login.
2023-12-05T07:23:57.6737438Z ##[debug]Azure CLI path: /usr/bin/az
2023-12-05T07:24:06.3442536Z ##[debug]Azure CLI version used:
2023-12-05T07:24:06.3443321Z ##[debug]azure-cli 2.54.0 *
2023-12-05T07:24:06.3444076Z ##[debug]
2023-12-05T07:24:06.3444624Z ##[debug]core 2.54.0 *
2023-12-05T07:24:06.3445453Z ##[debug]telemetry 1.1.0
2023-12-05T07:24:06.3447562Z ##[debug]
2023-12-05T07:24:06.3448046Z ##[debug]Extensions:
2023-12-05T07:24:06.3448680Z ##[debug]azure-devops 0.26.0
2023-12-05T07:24:06.3449414Z ##[debug]
2023-12-05T07:24:06.3449882Z ##[debug]Dependencies:
2023-12-05T07:24:06.3450500Z ##[debug]msal 1.24.0b2
2023-12-05T07:24:06.3451759Z ##[debug]azure-mgmt-resource 23.1.0b2
2023-12-05T07:24:06.3452510Z ##[debug]
2023-12-05T07:24:06.3453086Z ##[debug]Python location '/opt/az/bin/python3'
2023-12-05T07:24:06.3453991Z ##[debug]Extensions directory '/opt/az/azcliextensions'
2023-12-05T07:24:06.3454790Z ##[debug]
2023-12-05T07:24:06.3455524Z ##[debug]Python (Linux) 3.11.5 (main, Nov 8 2023, 05:20:54) [GCC 11.4.0]
2023-12-05T07:24:06.3456430Z ##[debug]
2023-12-05T07:24:06.3457062Z ##[debug]Legal docs and information: aka.ms/AzureCliLegal
2023-12-05T07:24:06.3457869Z ##[debug]
2023-12-05T07:24:06.3458292Z ##[debug]
2023-12-05T07:24:06.3458734Z ##[debug]
2023-12-05T07:24:22.6030310Z [command]/usr/bin/az cloud set -n azurecloud
2023-12-05T07:24:23.0292954Z Done setting cloud: "azurecloud"
2023-12-05T07:24:23.0297027Z Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
2023-12-05T07:24:23.0300560Z Attempting Azure CLI login by using service principal with secret...
2023-12-05T07:24:25.1534792Z ##[error]The subscription of '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' doesn't exist in cloud 'AzureCloud'.
2023-12-05T07:24:25.3595322Z ##[error]Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
2023-12-05T07:24:25.3607135Z ##[debug]Error: The process '/usr/bin/az' failed with exit code 1
2023-12-05T07:24:25.3608855Z ##[debug] at ExecState._setResult (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:592:25)
2023-12-05T07:24:25.3611115Z ##[debug] at ExecState.CheckComplete (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:575:18)
2023-12-05T07:24:25.3613430Z ##[debug] at ChildProcess.<anonymous> (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:469:27)
2023-12-05T07:24:25.3615012Z ##[debug] at ChildProcess.emit (node:events:513:28)
2023-12-05T07:24:25.3616014Z ##[debug] at maybeClose (node:internal/child_process:1100:16)
2023-12-05T07:24:25.3617281Z ##[debug] at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
Hi @kantkrishan,
Please remove the subscription-id
in creds
. In v1.5.1, subscription-id
will be set once it is provided.
The subscription-id
should not be given in your case, since your service principal doesn't have access permission to the given subscription.
Hi @MoChilia, We are using the specific AKV action along with creds (being stored as GitHub Secrets) across more than 200 github organizations in BCG. Making any such change would be a mammoth effort and thus would request you to help us provide the fix for v1 only.
Hi @alokbcg,
Providing subscription-id
for a service principal without permission is not an expected and secure behavior. That's why we make this change in new version.
May I ask where you have configured the secrets? Could you modify the value of your secret to align with the expected behavior?
Hi @MoChilia I understand your inputs here around secure and expected behaviour. However this v1 was working fine till morning and it stopped working all of a sudden. So while we have shared the info, we need the fix for v1 so that our services are restored and we may find out the best possible workarounds
Hi @kantkrishan , hope you understand your configuration of ${{ secrets.azure_secret }}
is not correct, since you provide a subscriptionId which you do not have right permission on it.
It used to work but it's not expected.
I understand you want us to rollback v1
to v1.4.6
. However, we have to release v1.5.1
and point v1
to v1.5.1
because it provides more features asked by users.
We want to help you configure it right and resolve it with the minimum cost.
- Do you own the service principal for
${{ secrets.azure_secret }}
? - Why can't you update it to remove
subscription id
? - Can you grant
read
permission in the subscription '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' to the Service Principal used in${{ secrets.azure_secret }}
?
Thanks as a workaround, we have reverted to v1.4.7 for now. Hopefully this change will not be added to v1.4.7 and older version retrospectively. please confirm.
@kantkrishan changing from v1 to v1.4.7 worked? Even our environment broke since the morning.
from v1 to v1.4.7 worked? Even our environment
@kantkrishan The old versions will not be updated. No worries.
ging from v1 to v1.4.7 worked? Even our environment broke since the morning.
Hi @Girish-mayigowda sorry for your inconvenience too. May I ask if you have the same configuration like @kantkrishan?
@kantkrishan changing from v1 to v1.4.7 worked? Even our environment broke since the morning.
yes, it worked.
ging from v1 to v1.4.7 worked? Even our environment broke since the morning.
Hi @Girish-mayigowda sorry for your inconvenience too. May I ask if you have the same configuration like @kantkrishan?
Yes and it worked after after changing it to 1.4.6
Hi @mehraman1508,
If you are trying to log in with a service principal that has access only to tenants without permission to subscriptions. Please refer to the example in https://github.com/Azure/login#login-without-subscription, exclude the subscription-id
. Similarly, for login with secret, please remove the subscription-id
in creds
.
Hi @MoChilia thanks I understand that example you shared . I want to know how to redirect an existing tag and point it to a new er version . The same thing you did with v1 pointing to v1.5.1.
@YanaXu Yan Xu FTE @MoChilia Shiying Chen FTE what is the process or any documentation to redirect current version to a new one ? It might help us solve this issue for our enterprise much faster .
Hi @mehraman1508 , thanks for asking this. We follow the release guide of GitHub Action. Check it here.
v1
will point to the latest v1.*.*
.
But once a specific version like v1.4.6
is release, we'll not touch it.
If you do not want to use the dynamic v1
, please ping to a specific version.
What I want to point out is that our target is always to help users improve usability and improve security, not to block your use.
If it's a bug, we'll fix it. But this issue is a not bug. We do want you to upgrade your workflow file since it's insecure and not expected.
You can choose to ping to v1.4.6
to workaround it but the best way is to fix it in secrets and keep using v1
.
You can check the new README.md. We provide more detail guides to help you configure the service principal for login. We do hope you use OIDC login instead.
@YanaXu thanks for the documentation link. Not sure about what this fix is but certainly resulted in large scale disruptions of CICD jobs. I hope there is a robust notification system we can subscribe to for future events like these and do our prep rather than be surprised! However just another day for CICD 😂 . Appreciate your prompt response.
prep
@mehraman1508 thanks for your suggestion. We're thinking about the same thing. It's better to have a pre-announcement. However we didn't find a proper way for now. But we'll see what we can do.
Maybe it's time to migrate your workflow file to use OIDC login... Feel free to open issues if you have questions.
we are now facing error on self hosted runners with v1.4.6/v1.4.7. Attached are the logs.
logs_98.zip
We were able to solve this by providing permissions to the .azure file.
sudo chown -R $USER:$USER ~/.azure
We want to understand if this is somehow related to what happened recently since these workflows were running smoothly from a long time.
Copy the error message to this issue from the attached logs:
2023-12-07T07:24:07.8762159Z ##[group]Run azure/login@v1.4.6
2023-12-07T07:24:07.8762615Z with:
2023-12-07T07:24:07.8764150Z creds: ***
2023-12-07T07:24:07.8764543Z allow-no-subscriptions: true
2023-12-07T07:24:07.8765017Z enable-AzPSSession: false
2023-12-07T07:24:07.8765588Z environment: azurecloud
2023-12-07T07:24:07.8766063Z audience: api://AzureADTokenExchange
2023-12-07T07:24:07.8766559Z env:
2023-12-07T07:24:07.8766892Z DYN_BRANCH: feature/CTSE-1473
2023-12-07T07:24:07.8767349Z ##[endgroup]
2023-12-07T07:24:07.9700085Z ##[debug]az cli version used: /usr/bin/az
2023-12-07T07:24:08.4844646Z ##[debug]az cli version used:
2023-12-07T07:24:08.4845627Z ##[debug]azure-cli 2.54.0 *
2023-12-07T07:24:08.4846580Z ##[debug]
2023-12-07T07:24:08.4847247Z ##[debug]core 2.54.0 *
2023-12-07T07:24:08.4848278Z ##[debug]telemetry 1.1.0
2023-12-07T07:24:08.4849222Z ##[debug]
2023-12-07T07:24:08.4849830Z ##[debug]Dependencies:
2023-12-07T07:24:08.4850609Z ##[debug]msal 1.24.0b2
2023-12-07T07:24:08.4851939Z ##[debug]azure-mgmt-resource 23.1.0b2
2023-12-07T07:24:08.4852868Z ##[debug]
2023-12-07T07:24:08.4853558Z ##[debug]Python location '/opt/az/bin/python3'
2023-12-07T07:24:08.4854742Z ##[debug]Extensions directory '/home/ubuntu/.azure/cliextensions'
2023-12-07T07:24:08.4856060Z ##[debug]
2023-12-07T07:24:08.4856913Z ##[debug]Python (Linux) 3.11.5 (main, Nov 8 2023, 05:21:25) [GCC 9.4.0]
2023-12-07T07:24:08.4858022Z ##[debug]
2023-12-07T07:24:08.4858802Z ##[debug]Legal docs and information: aka.ms/AzureCliLegal
2023-12-07T07:24:08.4859805Z ##[debug]
2023-12-07T07:24:08.4860344Z ##[debug]
2023-12-07T07:24:08.4860893Z ##[debug]
2023-12-07T07:24:08.4862116Z ##[debug]using creds JSON...
2023-12-07T07:24:08.4870779Z ::add-mask::***
2023-12-07T07:24:08.4875628Z ::add-mask::***
2023-12-07T07:24:08.4880109Z ::add-mask::***
2023-12-07T07:24:08.4882033Z ::add-mask::***
2023-12-07T07:24:08.4883556Z ##[debug]Cannot find key: $.resourceManagerEndpointUrl
2023-12-07T07:24:08.4884740Z [command]/usr/bin/az cloud set -n azurecloud
2023-12-07T07:24:08.7863010Z Done setting cloud: "azurecloud"
2023-12-07T07:24:08.7865280Z Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
2023-12-07T07:24:10.1121555Z ##[error]: The command failed with an unexpected error. Here is the traceback:
2023-12-07T07:24:10.1155100Z ##[error]: [Errno 13] Permission denied: '/home/ubuntu/.azure/msal_token_cache.json'
Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/profile/custom.py", line 139, in login
subscriptions = profile.login(
^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 159, in login
identity.login_with_service_principal(username, password, scopes=scopes)
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/identity.py", line 190, in login_with_service_principal
result = cred.acquire_token_for_client(scopes)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 2055, in acquire_token_for_client
return _clean_up(self._acquire_token_silent_with_error(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 1301, in _acquire_token_silent_with_error
result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 1366, in _acquire_token_silent_from_cache_and_possibly_refresh_it
matches = self.token_cache.find(
^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/msal_extensions/token_cache.py", line 77, in find
self._reload_if_necessary()
File "/opt/az/lib/python3.11/site-packages/msal_extensions/token_cache.py", line 55, in _reload_if_necessary
self.deserialize(self._persistence.load())
^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/msal_extensions/persistence.py", line 160, in load
with open(self._location, 'r') as handle: # pylint: disable=unspecified-encoding
^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/home/ubuntu/.azure/msal_token_cache.json'
Hi @kantkrishan, we won't make changes to old versions.
Good to see you've found the root cause, Azure/login action needs permission to write to .azure
folder. The issue you're facing may be due to a configuration change on your self-hosted runner.
Hi @mehraman1508, If you are trying to log in with a service principal that has access only to tenants without permission to subscriptions. Please refer to the example in https://github.com/Azure/login#login-without-subscription, exclude the
subscription-id
. Similarly, for login with secret, please remove thesubscription-id
increds
.
You mean subscriptionId
, not subscription-id
right ?
For context, we use Service Principal to authenticate to Azure Devops and pull artifacts (az artifacts universal download
(ref.)). Following the principle of least privilege, this SP doesn't have any permissions on our Azure Subscription (but does have a scope associated to it since az ad sp create-for-rbac requires one).
I had the same issue today; azure/login stopped working since the auth-type
was explicitly defined:
Before (✅):
Run azure/login@v1
with:
creds: ***
allow-no-subscriptions: true
enable-AzPSSession: false
environment: azurecloud
audience: api://AzureADTokenExchange
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Login successful.
(...)
After (❌):
Run azure/login@v1
with:
creds: ***
allow-no-subscriptions: true
enable-AzPSSession: false
environment: azurecloud
audience: api://AzureADTokenExchange
auth-type: SERVICE_PRINCIPAL <- here
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Attempting Azure CLI login by using service principal with secret...
Error: The subscription of '***REDACTED***' doesn't exist in cloud 'AzureCloud'.
Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
(...)
azure/login fails despite allow-no-subscriptions
being set to true
.
For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. Therefore there's no way for us to simply edit them and remove subscriptionId
. Unless I'm mistaken, we'll have to generate new Service Principals without subscriptionId
to fix that issue, which will require quite a bit of work.
This is major breaking change and should be reverted cc @MoChilia
@FlorentATo v1.4.7 should work .
We pinned to v1.4.6 as it's been mentioned above but that's only a short-term workaround...
Hi @FlorentATo,
Following the principle of least privilege, this SP doesn't have any permissions on our Azure Subscription (but does have a scope associated to it since az ad sp create-for-rbac requires one).`
--scope
for az-ad-sp-create-for-rbac
is not a required argument. And according to the following error occurred in your workflow, it is obvious that your service principal has no permission to the subscription you have input.
Error: The subscription of 'REDACTED' doesn't exist in cloud 'AzureCloud'.
It is really dangerous and makes no sense to input an invalid subscription-id
in azure/login
.
For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. Therefore there's no way for us to simply edit them and remove subscriptionId.
The output of az ad sp create-for-rbac
is a json object, you can definitely filter it with specified elements. Sorry for inconvenience, but this change is required to improve the security of our product. Thank you for your understanding.
For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret.
"For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. "
Hi @FlorentATo , could you please share how you generate and push the GitHub secret? I don't think it requires a lot of work to remove subscriptionId from the secret. Let's see if we can improve this step.
Just want to make it clear, it's not a breaking change but an improvement for security.
If the key painpoint is to update the secret, let's see what we can do for you to update the workflow file.
Could this be explained in the Azure Login's README a bit clearer, please? Been wrestling with it until I luckily found this thread, but it was not anywhere near the first link in the search outputs. All of the documentation on GH and Microsoft docs is saying to include sub id, without mentioning that providing it sometimes can break the behaviour.