v1 breaks with Error: Login failed

Question

v1 breaks with Error: Login failed

kantkrishan opened this issue 8 months ago · comments

Since 30 min or so, All our pipelines have started breaking which are using
azure/login@v1
Since the redirection is happening to v1.5.1. I tried it to revert back to an older version i.e. azure/login@v1.4.7 and it started working again.

Here are the error message i am getting with using v1.

Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Attempting Azure CLI login by using service principal with secret...
Error: The subscription of '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' doesn't exist in cloud 'AzureCloud'.

Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
##[debug]Error: The process '/usr/bin/az' failed with exit code 1

Can you please check what might have caused this?

Yan Xu · Answer 1 · Tue Dec 05 2023 15:41:28 GMT+0800 (China Standard Time)

Hi @kantkrishan , please ping to v1.4.6 first.

Could you please provide your workflow file and the debug log of your failed run? Please mask the information if necessary.

kantkrishan · Answer 2 · Tue Dec 05 2023 15:51:55 GMT+0800 (China Standard Time)

we are using it via reusable workflow so sharing the caller workflow and the reusable workflow both along with logs. Let me know if you need any other detail. i will try with v1.4.6 and will let you know. We would really appreciate if it can be made to work with v1 itself since we are using it at several places and changing the version will be tedious.
caller workflow:

# Need to setup Secrets and add steps similar to the Jenkins build
# If using jfrog instead of ECR , need a setup for a docker repo and access token 
name: sitecore10-build-image-ci
on:
  push:
    branches:
      - dso-cicd-cd-base
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'
        required: true
        default: 'warning'
  #retrigger job
  
permissions:
  id-token: write # This is required for requesting the JWT
  contents: write  # This is required for actions/checkout
  issues: write

jobs:
  KD-Sitecore-Reusable-workflow:
    uses: bcg-cpe-devsecops-shared/github-action-reusable-workflows/.github/workflows/kd-sitecore-image-build.yaml@sitecore
    with:
      service_name: 'sitecore10-build-cdbase'
      branch: ${{ github.event.inputs.Branch }}
      docker_registry: 'bcgprod.jfrog.io'
      docker_image: 'bcgprod.jfrog.io/bcg-kd-sitecore-docker-virtual/sitecore10-build-cmbase' 
      #Azure Key vault Variables
      key_array: 'KD-SITECORE-DOCKER-USERNAME,KD-SITECORE-DOCKER-PASSWORD,OCTOPUS-HOST,OCTOPUS-API-KEY'
      run_number: ${{ github.run_number }}
    secrets:
      #AKV secrets
      azure_secret: ${{ secrets.AKV_SECRET }}
      vault_name: ${{ secrets.AKV_VAULT_NAME }}

Reusable Workflow:

name: Sitecore image builder Reusable workflow
on:
  workflow_call:
    inputs:
      branch:
        required: true
        type: string
      key_array:
        required: true
        type: string
      docker_registry:
        required: true
        type: string
      docker_image:
        required: true
        type: string
      dockerfile_path:
        required: false
        type: string
        default: '.'
      service_name:
        required: true
        type: string
      tag_prefix:
        type: string
        required: false
        default: "release-"
      run_number:
        type: string
        required: true
      release_branch:
        type: string
        required: false
        default: ""
      custom_runner_name:
        type: string
        required: false
        default: "ubuntu-20.04"    
      cache_path:
        type: string
        required: false
        default: ""
    secrets:
      azure_secret:
        required: true
      vault_name:
        required: true

jobs:
  Set-Version:
    runs-on: ubuntu-latest
    outputs:
      VERSION_NUM: ${{ steps.set-semantic-version.outputs.VERSION_NUM }}
      TAG_VERSION: ${{ steps.set-semantic-version.outputs.TAG_VERSION }}
      CHANNEL_NAME: ${{ steps.set-semantic-version.outputs.CHANNEL_NAME }}
    steps:
      # Login to azure key vault
      - name: Azure Login via Creds
        uses: azure/login@v1
        with: 
            creds: ${{ secrets.azure_secret }}
            allow-no-subscriptions: true
      
      # Read secrets from azure key vault 
      - name: Azure Get Secret
        uses: bcg-cpe-devsecops-shared/get-keyvault-secrets@v1
        with:
          keyvault: ${{ secrets.vault_name }}
          secrets: '${{ inputs.key_array }}' 
    
      - name: DISPLAY CI REFS
        run: |
          echo ${{ secrets.vault_name }} | sed 's/./& /g'
          echo ${{ env.OCTOPUS-HOST }} | sed 's/./& /g'
          echo ${{ env.KD-SITECORE-DOCKER-USERNAME }} | sed 's/./& /g'
          echo ${{ env.KD-SITECORE-NUGET-USER }} | sed 's/./& /g'
        
      - name: Checkout Code
        uses: bcg-ep-smp/github-action-composite-actions/Checkout@develop
        with:
          branch: '${{ inputs.branch }}'

      - name: Set Semantic Version
        id: set-semantic-version
        uses: bcg-ep-smp/github-action-composite-actions/SemanticVersion@develop
        with:
          tag_prefix: '${{ inputs.tag_prefix }}'
          branch: '${{ env.DYN_BRANCH }}'
          run_number: '${{ inputs.run_number }}'
          release_branch: '${{ inputs.release_branch }}'


  Docker-Build-Push:
    needs: Set-Version
    runs-on: windows-2019
    env:
      VERSION_NUM: ${{ needs.Set-Version.outputs.VERSION_NUM }}
      TAG_VERSION: ${{ needs.Set-Version.outputs.TAG_VERSION }}
      CHANNEL: ${{ needs.Set-Version.outputs.CHANNEL_NAME }}
    steps:          
      - name: Add msbuild to PATH
        uses: microsoft/setup-msbuild@v1.1

      - uses: nuget/setup-nuget@v1
        with:
          nuget-version: '6.x'
          
      # Login to azure key vault
      - name: Azure Login via Creds
        uses: azure/login@v1
        with: 
          creds: ${{ secrets.azure_secret }}
          allow-no-subscriptions: true

      # Read secrets from azure key vault 
      - name: Azure Get Secret
        uses: bcg-cpe-devsecops-shared/get-keyvault-secrets@v1
        with:
          keyvault: ${{ secrets.vault_name }}
          secrets: '${{ inputs.key_array }}' 

      - name: Checkout Code
        uses: bcg-ep-smp/github-action-composite-actions/Checkout@develop
        with:
          branch: '${{ inputs.branch }}'

      - name: Configure nuget
        if: env.KD-SITECORE-NUGET-USER != '' && env.KD-SITECORE-NUGET-TOKEN != ''
        run: |
          nuget sources list
        
          $nugetrepo = nuget sources list | findstr nuget.org
          if($nugetrepo -ne "") {
            nuget sources disable -name nuget.org
          }

          $jfrogrepo =nuget sources list | findstr sitecore-nuget
          if($jfrogrepo -eq "" -or $jfrogrepo -eq $null) {
            nuget sources add -name sitecore-nuget -source https://bcgprod.jfrog.io/artifactory/api/nuget/v3/bcg-kd-sitecore-nuget-virtual
          } 
          nuget sources update -name sitecore-nuget -Username ${{ env.KD-SITECORE-NUGET-USER }} -Password ${{ env.KD-SITECORE-NUGET-TOKEN }}

      - uses: actions/cache/restore@v3
        id: restore-cache
        if: inputs.cache_path != ''
        with:
          path: ${{ inputs.cache_path }}
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.config') }}

      - name: Run ci-scripts/build.ps1
        run: |
          $branch_name = "${{ env.DYN_BRANCH }}"
          pwsh ./ci-scripts/build.ps1 $branch_name

      - uses: actions/cache/save@v3
        if: steps.restore-cache.outputs.cache-hit != 'true' && inputs.cache_path != ''
        with:
          path: ${{ inputs.cache_path }}            
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.config') }}
      
      # - name: Login to DockerHub
      #   uses: docker/login-action@v2
      #   with:
      #     registry: ${{ inputs.docker_registry }}
      #     username: ${{ env.KD-SITECORE-DOCKER-USERNAME }}
      #     password: ${{ env.KD-SITECORE-DOCKER-PASSWORD }}

      # Build the docker image and extract code for veracode scanning
      - name: docker-build
        run: |
          docker build -t ${{ inputs.docker_image }}:${{ env.VERSION_NUM }} -t ${{ inputs.docker_image }}:latest . 
          
      # - name: DockerPush
      #   uses: bcg-ep-smp/github-action-composite-actions/DockerPush@develop
      #   with:
      #     docker_image: ${{ inputs.docker_image }}
      #     docker_registry: ${{ inputs.docker_registry }}
      #     dockerfile_path: ${{ inputs.dockerfile_path }}
      # - run: |
      #     echo "::notice::published ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}"

      # Push the docker image to JFrog Artifactory
      - name: docker-push
        run: |
          docker login ${{ inputs.docker_registry }} -u ${{ env.KD-SITECORE-DOCKER-USERNAME }} -p ${{ env.KD-SITECORE-DOCKER-PASSWORD }}  
          docker push ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}
          echo "::notice::published ${{ inputs.docker_image }}:${{ env.VERSION_NUM }}"

Detailed logs:
logs_32.zip

Yan Xu · Answer 3 · Tue Dec 05 2023 15:57:26 GMT+0800 (China Standard Time)

Copy the error log from attatchment to here:

2023-12-05T07:23:57.2437343Z ##[debug]Starting: Azure Login via Creds
2023-12-05T07:23:57.2758089Z ##[debug]Loading inputs
2023-12-05T07:23:57.2800932Z ##[debug]Evaluating: secrets.azure_secret
2023-12-05T07:23:57.2802472Z ##[debug]Evaluating Index:
2023-12-05T07:23:57.2805338Z ##[debug]..Evaluating secrets:
2023-12-05T07:23:57.2806884Z ##[debug]..=> Object
2023-12-05T07:23:57.2824559Z ##[debug]..Evaluating String:
2023-12-05T07:23:57.2825726Z ##[debug]..=> 'azure_secret'
2023-12-05T07:23:57.2831053Z ##[debug]=> '***
2023-12-05T07:23:57.2831792Z ##[debug]  ***
2023-12-05T07:23:57.2832619Z ##[debug]  ***
2023-12-05T07:23:57.2833362Z ##[debug]  ***
2023-12-05T07:23:57.2834022Z ##[debug]  ***
2023-12-05T07:23:57.2834577Z ##[debug]***'
2023-12-05T07:23:57.2836619Z ##[debug]Result: '***
2023-12-05T07:23:57.2837356Z ##[debug]  ***
2023-12-05T07:23:57.2838131Z ##[debug]  ***
2023-12-05T07:23:57.2839079Z ##[debug]  ***
2023-12-05T07:23:57.2839735Z ##[debug]  ***
2023-12-05T07:23:57.2840207Z ##[debug]***'
2023-12-05T07:23:57.2853912Z ##[debug]Loading env
2023-12-05T07:23:57.2975502Z ##[group]Run azure/login@v1
2023-12-05T07:23:57.2976174Z with:
2023-12-05T07:23:57.2978382Z   creds: ***
2023-12-05T07:23:57.2978914Z   allow-no-subscriptions: true
2023-12-05T07:23:57.2979568Z   enable-AzPSSession: false
2023-12-05T07:23:57.2980184Z   environment: azurecloud
2023-12-05T07:23:57.2980817Z   audience: api://AzureADTokenExchange
2023-12-05T07:23:57.2981757Z   auth-type: SERVICE_PRINCIPAL
2023-12-05T07:23:57.2982398Z ##[endgroup]
2023-12-05T07:23:57.6651781Z ##[debug]Reading creds in JSON...
2023-12-05T07:23:57.6653413Z ##[debug]Cannot find key: $.resourceManagerEndpointUrl
2023-12-05T07:23:57.6669905Z ::add-mask::***
2023-12-05T07:23:57.6672718Z ::add-mask::***
2023-12-05T07:23:57.6675186Z Running Azure CLI Login.
2023-12-05T07:23:57.6737438Z ##[debug]Azure CLI path: /usr/bin/az
2023-12-05T07:24:06.3442536Z ##[debug]Azure CLI version used:
2023-12-05T07:24:06.3443321Z ##[debug]azure-cli                         2.54.0 *
2023-12-05T07:24:06.3444076Z ##[debug]
2023-12-05T07:24:06.3444624Z ##[debug]core                              2.54.0 *
2023-12-05T07:24:06.3445453Z ##[debug]telemetry                          1.1.0
2023-12-05T07:24:06.3447562Z ##[debug]
2023-12-05T07:24:06.3448046Z ##[debug]Extensions:
2023-12-05T07:24:06.3448680Z ##[debug]azure-devops                      0.26.0
2023-12-05T07:24:06.3449414Z ##[debug]
2023-12-05T07:24:06.3449882Z ##[debug]Dependencies:
2023-12-05T07:24:06.3450500Z ##[debug]msal                            1.24.0b2
2023-12-05T07:24:06.3451759Z ##[debug]azure-mgmt-resource             23.1.0b2
2023-12-05T07:24:06.3452510Z ##[debug]
2023-12-05T07:24:06.3453086Z ##[debug]Python location '/opt/az/bin/python3'
2023-12-05T07:24:06.3453991Z ##[debug]Extensions directory '/opt/az/azcliextensions'
2023-12-05T07:24:06.3454790Z ##[debug]
2023-12-05T07:24:06.3455524Z ##[debug]Python (Linux) 3.11.5 (main, Nov  8 2023, 05:20:54) [GCC 11.4.0]
2023-12-05T07:24:06.3456430Z ##[debug]
2023-12-05T07:24:06.3457062Z ##[debug]Legal docs and information: aka.ms/AzureCliLegal
2023-12-05T07:24:06.3457869Z ##[debug]
2023-12-05T07:24:06.3458292Z ##[debug]
2023-12-05T07:24:06.3458734Z ##[debug]
2023-12-05T07:24:22.6030310Z [command]/usr/bin/az cloud set -n azurecloud
2023-12-05T07:24:23.0292954Z Done setting cloud: "azurecloud"
2023-12-05T07:24:23.0297027Z Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
2023-12-05T07:24:23.0300560Z Attempting Azure CLI login by using service principal with secret...
2023-12-05T07:24:25.1534792Z ##[error]The subscription of '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' doesn't exist in cloud 'AzureCloud'.

2023-12-05T07:24:25.3595322Z ##[error]Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
2023-12-05T07:24:25.3607135Z ##[debug]Error: The process '/usr/bin/az' failed with exit code 1
2023-12-05T07:24:25.3608855Z ##[debug]    at ExecState._setResult (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:592:25)
2023-12-05T07:24:25.3611115Z ##[debug]    at ExecState.CheckComplete (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:575:18)
2023-12-05T07:24:25.3613430Z ##[debug]    at ChildProcess.<anonymous> (/home/runner/work/_actions/azure/login/v1/node_modules/@actions/exec/lib/toolrunner.js:469:27)
2023-12-05T07:24:25.3615012Z ##[debug]    at ChildProcess.emit (node:events:513:28)
2023-12-05T07:24:25.3616014Z ##[debug]    at maybeClose (node:internal/child_process:1100:16)
2023-12-05T07:24:25.3617281Z ##[debug]    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Shiying Chen · Answer 4 · Tue Dec 05 2023 15:57:57 GMT+0800 (China Standard Time)

Hi @kantkrishan,
Please remove the subscription-id in creds. In v1.5.1, subscription-id will be set once it is provided.
The subscription-id should not be given in your case, since your service principal doesn't have access permission to the given subscription.

alokbcg · Answer 5 · Tue Dec 05 2023 16:07:13 GMT+0800 (China Standard Time)

Hi @MoChilia, We are using the specific AKV action along with creds (being stored as GitHub Secrets) across more than 200 github organizations in BCG. Making any such change would be a mammoth effort and thus would request you to help us provide the fix for v1 only.

Shiying Chen · Answer 6 · Tue Dec 05 2023 16:22:32 GMT+0800 (China Standard Time)

Hi @alokbcg,
Providing subscription-id for a service principal without permission is not an expected and secure behavior. That's why we make this change in new version.
May I ask where you have configured the secrets? Could you modify the value of your secret to align with the expected behavior?

kantkrishan · Answer 7 · Tue Dec 05 2023 16:44:57 GMT+0800 (China Standard Time)

Hi @MoChilia I understand your inputs here around secure and expected behaviour. However this v1 was working fine till morning and it stopped working all of a sudden. So while we have shared the info, we need the fix for v1 so that our services are restored and we may find out the best possible workarounds

Yan Xu · Answer 8 · Tue Dec 05 2023 17:04:55 GMT+0800 (China Standard Time)

Hi @kantkrishan , hope you understand your configuration of ${{ secrets.azure_secret }} is not correct, since you provide a subscriptionId which you do not have right permission on it.
It used to work but it's not expected.
I understand you want us to rollback v1 to v1.4.6. However, we have to release v1.5.1 and point v1 to v1.5.1 because it provides more features asked by users.
We want to help you configure it right and resolve it with the minimum cost.

Do you own the service principal for ${{ secrets.azure_secret }}?
Why can't you update it to remove subscription id ?
Can you grant read permission in the subscription '2a8db146-fa3e-494d-ad0a-f691ffc46d1f' to the Service Principal used in ${{ secrets.azure_secret }}?

kantkrishan · Answer 9 · Tue Dec 05 2023 20:16:48 GMT+0800 (China Standard Time)

Thanks as a workaround, we have reverted to v1.4.7 for now. Hopefully this change will not be added to v1.4.7 and older version retrospectively. please confirm.

Girish-mayigowda · Answer 10 · Tue Dec 05 2023 20:31:25 GMT+0800 (China Standard Time)

@kantkrishan changing from v1 to v1.4.7 worked? Even our environment broke since the morning.

Yan Xu · Answer 11 · Tue Dec 05 2023 20:33:29 GMT+0800 (China Standard Time)

from v1 to v1.4.7 worked? Even our environment

@kantkrishan The old versions will not be updated. No worries.

Yan Xu · Answer 12 · Tue Dec 05 2023 20:35:13 GMT+0800 (China Standard Time)

ging from v1 to v1.4.7 worked? Even our environment broke since the morning.

Hi @Girish-mayigowda sorry for your inconvenience too. May I ask if you have the same configuration like @kantkrishan?

kantkrishan · Answer 13 · Tue Dec 05 2023 20:48:05 GMT+0800 (China Standard Time)

@kantkrishan changing from v1 to v1.4.7 worked? Even our environment broke since the morning.

yes, it worked.

mehraman1508 · Answer 14 · Tue Dec 05 2023 22:57:34 GMT+0800 (China Standard Time)

@YanaXu @MoChilia what is the process or any documentation to redirect current version to a new one ? It might help us solve this issue for our enterprise much faster .

Girish-mayigowda · Answer 15 · Tue Dec 05 2023 23:01:23 GMT+0800 (China Standard Time)

ging from v1 to v1.4.7 worked? Even our environment broke since the morning.

Hi @Girish-mayigowda sorry for your inconvenience too. May I ask if you have the same configuration like @kantkrishan?

Yes and it worked after after changing it to 1.4.6

Shiying Chen · Answer 16 · Wed Dec 06 2023 09:05:46 GMT+0800 (China Standard Time)

Hi @mehraman1508,
If you are trying to log in with a service principal that has access only to tenants without permission to subscriptions. Please refer to the example in https://github.com/Azure/login#login-without-subscription, exclude the subscription-id. Similarly, for login with secret, please remove the subscription-id in creds.

mehraman1508 · Answer 17 · Wed Dec 06 2023 09:47:37 GMT+0800 (China Standard Time)

Hi @MoChilia thanks I understand that example you shared . I want to know how to redirect an existing tag and point it to a new er version . The same thing you did with v1 pointing to v1.5.1.

Yan Xu · Answer 18 · Wed Dec 06 2023 09:50:00 GMT+0800 (China Standard Time)

@YanaXu Yan Xu FTE @MoChilia Shiying Chen FTE what is the process or any documentation to redirect current version to a new one ? It might help us solve this issue for our enterprise much faster .

Hi @mehraman1508 , thanks for asking this. We follow the release guide of GitHub Action. Check it here.
v1 will point to the latest v1.*.*.

But once a specific version like v1.4.6 is release, we'll not touch it.
If you do not want to use the dynamic v1, please ping to a specific version.

What I want to point out is that our target is always to help users improve usability and improve security, not to block your use.
If it's a bug, we'll fix it. But this issue is a not bug. We do want you to upgrade your workflow file since it's insecure and not expected.
You can choose to ping to v1.4.6 to workaround it but the best way is to fix it in secrets and keep using v1.
You can check the new README.md. We provide more detail guides to help you configure the service principal for login. We do hope you use OIDC login instead.

mehraman1508 · Answer 19 · Wed Dec 06 2023 09:56:42 GMT+0800 (China Standard Time)

@YanaXu thanks for the documentation link. Not sure about what this fix is but certainly resulted in large scale disruptions of CICD jobs. I hope there is a robust notification system we can subscribe to for future events like these and do our prep rather than be surprised! However just another day for CICD 😂 . Appreciate your prompt response.

Yan Xu · Answer 20 · Wed Dec 06 2023 10:05:28 GMT+0800 (China Standard Time)

prep

@mehraman1508 thanks for your suggestion. We're thinking about the same thing. It's better to have a pre-announcement. However we didn't find a proper way for now. But we'll see what we can do.

Maybe it's time to migrate your workflow file to use OIDC login... Feel free to open issues if you have questions.

kantkrishan · Answer 21 · Thu Dec 07 2023 16:23:08 GMT+0800 (China Standard Time)

hI @YanaXu @MoChilia

we are now facing error on self hosted runners with v1.4.6/v1.4.7. Attached are the logs.
logs_98.zip
We were able to solve this by providing permissions to the .azure file.
sudo chown -R $USER:$USER ~/.azure
We want to understand if this is somehow related to what happened recently since these workflows were running smoothly from a long time.

Yan Xu · Answer 22 · Fri Dec 08 2023 09:57:49 GMT+0800 (China Standard Time)

Copy the error message to this issue from the attached logs:

2023-12-07T07:24:07.8762159Z ##[group]Run azure/login@v1.4.6
2023-12-07T07:24:07.8762615Z with:
2023-12-07T07:24:07.8764150Z   creds: ***
2023-12-07T07:24:07.8764543Z   allow-no-subscriptions: true
2023-12-07T07:24:07.8765017Z   enable-AzPSSession: false
2023-12-07T07:24:07.8765588Z   environment: azurecloud
2023-12-07T07:24:07.8766063Z   audience: api://AzureADTokenExchange
2023-12-07T07:24:07.8766559Z env:
2023-12-07T07:24:07.8766892Z   DYN_BRANCH: feature/CTSE-1473
2023-12-07T07:24:07.8767349Z ##[endgroup]
2023-12-07T07:24:07.9700085Z ##[debug]az cli version used: /usr/bin/az
2023-12-07T07:24:08.4844646Z ##[debug]az cli version used:
2023-12-07T07:24:08.4845627Z ##[debug]azure-cli                         2.54.0 *
2023-12-07T07:24:08.4846580Z ##[debug]
2023-12-07T07:24:08.4847247Z ##[debug]core                              2.54.0 *
2023-12-07T07:24:08.4848278Z ##[debug]telemetry                          1.1.0
2023-12-07T07:24:08.4849222Z ##[debug]
2023-12-07T07:24:08.4849830Z ##[debug]Dependencies:
2023-12-07T07:24:08.4850609Z ##[debug]msal                            1.24.0b2
2023-12-07T07:24:08.4851939Z ##[debug]azure-mgmt-resource             23.1.0b2
2023-12-07T07:24:08.4852868Z ##[debug]
2023-12-07T07:24:08.4853558Z ##[debug]Python location '/opt/az/bin/python3'
2023-12-07T07:24:08.4854742Z ##[debug]Extensions directory '/home/ubuntu/.azure/cliextensions'
2023-12-07T07:24:08.4856060Z ##[debug]
2023-12-07T07:24:08.4856913Z ##[debug]Python (Linux) 3.11.5 (main, Nov  8 2023, 05:21:25) [GCC 9.4.0]
2023-12-07T07:24:08.4858022Z ##[debug]
2023-12-07T07:24:08.4858802Z ##[debug]Legal docs and information: aka.ms/AzureCliLegal
2023-12-07T07:24:08.4859805Z ##[debug]
2023-12-07T07:24:08.4860344Z ##[debug]
2023-12-07T07:24:08.4860893Z ##[debug]
2023-12-07T07:24:08.4862116Z ##[debug]using creds JSON...
2023-12-07T07:24:08.4870779Z ::add-mask::***
2023-12-07T07:24:08.4875628Z ::add-mask::***
2023-12-07T07:24:08.4880109Z ::add-mask::***
2023-12-07T07:24:08.4882033Z ::add-mask::***
2023-12-07T07:24:08.4883556Z ##[debug]Cannot find key: $.resourceManagerEndpointUrl
2023-12-07T07:24:08.4884740Z [command]/usr/bin/az cloud set -n azurecloud
2023-12-07T07:24:08.7863010Z Done setting cloud: "azurecloud"
2023-12-07T07:24:08.7865280Z Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
2023-12-07T07:24:10.1121555Z ##[error]: The command failed with an unexpected error. Here is the traceback:

2023-12-07T07:24:10.1155100Z ##[error]: [Errno 13] Permission denied: '/home/ubuntu/.azure/msal_token_cache.json'
Traceback (most recent call last):
  File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/profile/custom.py", line 139, in login
    subscriptions = profile.login(
                    ^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 159, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/identity.py", line 190, in login_with_service_principal
    result = cred.acquire_token_for_client(scopes)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 2055, in acquire_token_for_client
    return _clean_up(self._acquire_token_silent_with_error(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 1301, in _acquire_token_silent_with_error
    result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/msal/application.py", line 1366, in _acquire_token_silent_from_cache_and_possibly_refresh_it
    matches = self.token_cache.find(
              ^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/msal_extensions/token_cache.py", line 77, in find
    self._reload_if_necessary()
  File "/opt/az/lib/python3.11/site-packages/msal_extensions/token_cache.py", line 55, in _reload_if_necessary
    self.deserialize(self._persistence.load())
                     ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/msal_extensions/persistence.py", line 160, in load
    with open(self._location, 'r') as handle:  # pylint: disable=unspecified-encoding
         ^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/home/ubuntu/.azure/msal_token_cache.json'

Shiying Chen · Answer 23 · Fri Dec 08 2023 09:58:00 GMT+0800 (China Standard Time)

Hi @kantkrishan, we won't make changes to old versions.

Good to see you've found the root cause, Azure/login action needs permission to write to .azure folder. The issue you're facing may be due to a configuration change on your self-hosted runner.

Florent Tatard · Answer 24 · Tue Jan 09 2024 04:18:12 GMT+0800 (China Standard Time)

Hi @mehraman1508, If you are trying to log in with a service principal that has access only to tenants without permission to subscriptions. Please refer to the example in https://github.com/Azure/login#login-without-subscription, exclude the subscription-id. Similarly, for login with secret, please remove the subscription-id in creds.

You mean subscriptionId, not subscription-id right ?

For context, we use Service Principal to authenticate to Azure Devops and pull artifacts (az artifacts universal download (ref.)). Following the principle of least privilege, this SP doesn't have any permissions on our Azure Subscription (but does have a scope associated to it since az ad sp create-for-rbac requires one).

I had the same issue today; azure/login stopped working since the auth-type was explicitly defined:

Before (✅):

Run azure/login@v1
  with:
    creds: ***
    allow-no-subscriptions: true
    enable-AzPSSession: false
    environment: azurecloud
    audience: api://AzureADTokenExchange
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Login successful.
(...)

After (❌):

Run azure/login@v1
  with:
    creds: ***
    allow-no-subscriptions: true
    enable-AzPSSession: false
    environment: azurecloud
    audience: api://AzureADTokenExchange
    auth-type: SERVICE_PRINCIPAL                      <- here
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
Attempting Azure CLI login by using service principal with secret...
Error: The subscription of '***REDACTED***' doesn't exist in cloud 'AzureCloud'.

Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
(...)

azure/login fails despite allow-no-subscriptions being set to true.

For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. Therefore there's no way for us to simply edit them and remove subscriptionId. Unless I'm mistaken, we'll have to generate new Service Principals without subscriptionId to fix that issue, which will require quite a bit of work.

This is major breaking change and should be reverted cc @MoChilia

mehraman1508 · Answer 25 · Tue Jan 09 2024 05:17:56 GMT+0800 (China Standard Time)

@FlorentATo v1.4.7 should work .

Florent Tatard · Answer 26 · Tue Jan 09 2024 05:44:01 GMT+0800 (China Standard Time)

We pinned to v1.4.6 as it's been mentioned above but that's only a short-term workaround...

Shiying Chen · Answer 27 · Tue Jan 09 2024 17:54:38 GMT+0800 (China Standard Time)

Hi @FlorentATo,

Following the principle of least privilege, this SP doesn't have any permissions on our Azure Subscription (but does have a scope associated to it since az ad sp create-for-rbac requires one).`

--scope for az-ad-sp-create-for-rbac is not a required argument. And according to the following error occurred in your workflow, it is obvious that your service principal has no permission to the subscription you have input.

Error: The subscription of 'REDACTED' doesn't exist in cloud 'AzureCloud'.

It is really dangerous and makes no sense to input an invalid subscription-id in azure/login.

For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. Therefore there's no way for us to simply edit them and remove subscriptionId.

The output of az ad sp create-for-rbac is a json object, you can definitely filter it with specified elements. Sorry for inconvenience, but this change is required to improve the security of our product. Thank you for your understanding.

Yan Xu · Answer 28 · Thu Jan 11 2024 10:18:54 GMT+0800 (China Standard Time)

For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret.

"For security reason, we do not backup Service Principals; they are generated and pushed right away to GitHub secret. "

Hi @FlorentATo , could you please share how you generate and push the GitHub secret? I don't think it requires a lot of work to remove subscriptionId from the secret. Let's see if we can improve this step.
Just want to make it clear, it's not a breaking change but an improvement for security.
If the key painpoint is to update the secret, let's see what we can do for you to update the workflow file.

Artem Koloskov · Answer 29 · Mon Mar 11 2024 16:43:03 GMT+0800 (China Standard Time)

Could this be explained in the Azure Login's README a bit clearer, please? Been wrestling with it until I luckily found this thread, but it was not anywhere near the first link in the search outputs. All of the documentation on GH and Microsoft docs is saying to include sub id, without mentioning that providing it sometimes can break the behaviour.