Az login failed using OIDC in self-host runner with exit code 1, how can I know the exact error?

Question

Az login failed using OIDC in self-host runner with exit code 1, how can I know the exact error?

qfai opened this issue 7 months ago · comments

Log of my workflow
##[debug]Evaluating condition for step: 'Log in to Azure using OIDC'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Log in to Azure using OIDC
##[debug]Loading inputs
##[debug]Evaluating: secrets.AZURE_CLIENT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_CLIENT_ID'
##[debug]=>
##[debug]Result:
##[debug]Evaluating: secrets.AZURE_TENANT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_TENANT_ID'
##[debug]=> ''
##[debug]Result: ''
##[debug]Evaluating: secrets.AZURE_SUBSCRIPTION_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_SUBSCRIPTION_ID'
##[debug]=>
##[debug]Result:
##[debug]Loading env
Run azure/login@v1
::add-mask::***
Running Azure CLI Login.
##[debug]Azure CLI path: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
##[debug]Azure CLI version used:
##[debug]azure-cli 2.56.0
##[debug]
##[debug]core 2.56.0
##[debug]telemetry 1.1.0
##[debug]
##[debug]Extensions:
##[debug]arcappliance 0.2.27
##[debug]azure-iot-ops 0.2.0b1
##[debug]azurestackhci 0.2.3
##[debug]connectedvmware 0.1.12
##[debug]customlocation 0.1.3
##[debug]k8s-extension 1.4.2
##[debug]
##[debug]Dependencies:
##[debug]msal 1.24.0b2
##[debug]azure-mgmt-resource 23.1.0b2
##[debug]
##[debug]Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
##[debug]Extensions directory 'C:\Users\mgodfre3.azure\cliextensions'
##[debug]
##[debug]Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]
##[debug]
##[debug]Legal docs and information: aka.ms/AzureCliLegal
##[debug]
##[debug]
##[debug]Your CLI is up-to-date.
##[debug]
Error: Login failed with Error: The process 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
##[debug]Error: The process 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd' failed with exit code 1
##[debug] at ExecState._setResult (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1\node_modules@actions\exec\lib\toolrunner.js:592:25)
##[debug] at ExecState.CheckComplete (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1\node_modules@actions\exec\lib\toolrunner.js:575:18)
##[debug] at ChildProcess. (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1\node_modules@actions\exec\lib\toolrunner.js:469:27)
##[debug] at ChildProcess.emit (node:events:513:28)
##[debug] at maybeClose (node:internal/child_process:1100:16)
##[debug] at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
##[debug]Node Action run completed with exit code 1
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS/AzureLogin@v1_microsoft/AdaptiveCloudLab-TF'
##[debug]AZUREPS_HOST_ENVIRONMENT='GITHUBACTIONS/AzureLogin@v1_microsoft/AdaptiveCloudLab-TF'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Log in to Azure using OIDC

workflow:

name: Site Deployment

on:
workflow_call:
inputs:
working-directory:
required: true
type: string

permissions:
id-token: write
contents: read

env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_USE_OIDC: true

jobs:
terraform:
name: 'Terraform'
# runs-on: [ubuntu-latest]
runs-on: [self-hosted]
environment: terraform

# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
  run:
    shell: bash
    working-directory: ${{ inputs.working-directory }}

steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
  uses: actions/checkout@v3

- name: Log in to Azure using OIDC
  uses: azure/login@v1
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

Shiying Chen · Answer 1 · Thu Jan 11 2024 10:48:46 GMT+0800 (China Standard Time)

Hi @qfai, could you try azure/login@v1.6.0 and attach the debug information?

qfai · Answer 2 · Thu Jan 11 2024 11:33:05 GMT+0800 (China Standard Time)

@MoChilia ##[debug]Loading env
Run azure/login@v1.6.0
with:
client-id: ***
tenant-id: ***
subscription-id: ***
enable-AzPSSession: false
environment: azurecloud
allow-no-subscriptions: false
audience: api://AzureADTokenExchange
auth-type: SERVICE_PRINCIPAL
env:
ARM_CLIENT_ID: ***
ARM_SUBSCRIPTION_ID: ***
ARM_TENANT_ID: ***
ARM_USE_OIDC: true
##[debug]Azure CLI path: C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd
Clearing azure cli accounts from the local cache.
C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"
ERROR: Decryption failed: [WinError 87] None. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Error: Login cleanup failed with Error: The process 'C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd' failed with exit code 1. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module.
##[debug]Error: The process 'C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd' failed with exit code 1
##[debug] at ExecState._setResult (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1.6.0\node_modules@actions\exec\lib\toolrunner.js:592:25)
##[debug] at ExecState.CheckComplete (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1.6.0\node_modules@actions\exec\lib\toolrunner.js:575:18)
##[debug] at ChildProcess. (C:\Users\mgodfre3\actions-runner_work_actions\azure\login\v1.6.0\node_modules@actions\exec\lib\toolrunner.js:469:27)
##[debug] at ChildProcess.emit (node:events:513:28)
##[debug] at maybeClose (node:internal/child_process:1100:16)
##[debug] at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Pre Log in to Azure using OIDC

Shiying Chen · Answer 3 · Thu Jan 11 2024 11:57:34 GMT+0800 (China Standard Time)

@qfai, this is caused by a decryption failure from MSAL. You can check more details in this issue Azure/azure-cli#20278.

Here are two potential solutions for you:

Check if azure/login@v1.5.0 works for you.
If the attempt 1 doesn't work, run az config set core.encrypt_token_cache=false before azure/login@v1.

qfai · Answer 4 · Thu Jan 11 2024 12:20:16 GMT+0800 (China Standard Time)

@MoChilia I haven' t tried these methods, I managed to pass by restarting the machine and using another account to run the self-host runner.