Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aztfy won't pick up token from new az login #288

Closed
MohnJadden opened this issue Oct 31, 2022 · 21 comments · Fixed by #378
Closed

aztfy won't pick up token from new az login #288

MohnJadden opened this issue Oct 31, 2022 · 21 comments · Fixed by #378
Labels
permission question Further information is requested

Comments

@MohnJadden
Copy link

When I run aztfy rg --append --name-pattern "*" RG1 I get a 401 Unauthorized error stating that my access token is for one of my other Azure tenants. If I run az login and log in to the tenant I want to use, then run az account set --subscription to the subscription within that tenant, the error persists. I have re-tried az login several times with the same issue recurring.

The full text:


exporting arm template of resource group RG1: POST https://management.azure.com/subscriptions/correctsubscription/resourcegroups/RG1/exportTemplate
  --------------------------------------------------------------------------------                                                                                                                              
  RESPONSE 401: 401 Unauthorized                                                                                                                                                                                
  ERROR CODE: InvalidAuthenticationTokenTenant                                                                                                                                                                  
  --------------------------------------------------------------------------------                                                                                                                              
  {                                                                                                                                                                                                             
    "error": {                                                                                                                                                                                                  
      "code": "InvalidAuthenticationTokenTenant",                                                                                                                                                               
      "message": "The access token is from the wrong issuer 'https://sts.windows.net/incorrectsubscriptionguid/'. It must match one of the tenants                                                   
  'https://sts.windows.net/don'tknowwhatthisguidis/,https://sts.windows.net/correctsubscriptionguid/' associated with this subscription. Please use any authority (URL) from          
  'https://login.windows.net/don'tknowwhatthisguidis,https://login.windows.net/correctsubscriptionguid' to get the token. Note, if the subscription is transferred to another tenant  
  there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back      
  later."                                                                                                                                                           
@magodo
Copy link
Collaborator

magodo commented Nov 1, 2022

It appears you are using an old version of the aztfy, can you try with the latest one? Also, you can specify the subscription id to be used via -s option.

@magodo magodo added the question Further information is requested label Nov 1, 2022
@MohnJadden
Copy link
Author

I upgraded to 0.8.0 and the error is now different - see below. If I -s followed by the subscription GUID or subscription friendly name, I just get the aztfy default list of commands and "error: flag provided but not defined: -s"

I already re-ran az login to the subscription and az account set --subscription %subscriptionGUID% to point at the correct subscription. I am logged in as a user with Owner rights to all resources in the subscription. I don't see any interactive or non-interactive sign-ins in my Azure AD sign-in logs with the correlation ID.

listing resource set: executing ARG query "Resources | where resourceGroup =~ \"name-of-my-resourcegroup\" | order by id desc": POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources  --------------------------------------------------------------------------------
  RESPONSE 400: 400 Bad Request
  ERROR CODE: BadRequest
  --------------------------------------------------------------------------------
  {
    "error": {
      "code": "BadRequest",
      "message": "Please provide below info when asking for support: timestamp = 2022-11-02T13:00:36.0042795Z, correlationId = 19500048-6f16-483d-aff9-641370b18286.",
      "details": [
        {
          "code": "NoValidSubscriptionsInQueryRequest",
          "message": "There must be at least one subscription that is eligible to contain resources. Given: ''."
        }
      ]
    }
  }
  --------------------------------------------------------------------------------

@magodo
Copy link
Collaborator

magodo commented Nov 3, 2022

From the error message:

"There must be at least one subscription that is eligible to contain resources. Given: ''."

Looks like aztfy somehow received the subscription id as .? The logic of how aztfy get the subscription id is as below (starts from the highest priority):

  • Command line option (-s, --subscription-id)
  • Env variable: AZTFY_SUBSCRIPTION_ID
  • Env variable: ARM_SUBSCRIPTION_ID
  • Output of azure cli, the current active subscription (az account show --query id)

So would you please check both your command, env var, and the output of above az cli command to see where that . comes from?

@MohnJadden
Copy link
Author

And like I said, when I run aztfy with -s, I get an error that the flag is not defined.

PS C:\repos\blankstate\aztfy> aztfy --subscription-id guid-of-my-subscription
Incorrect Usage. flag provided but not defined: -subscription-id

NAME:
   aztfy - Bring existing Azure resources under Terraform's management

USAGE:
   aztfy [command] [option]

VERSION:
   v0.8.0(a7c179f)

COMMANDS:
   resource, res       Terrafying a single resource
   resource-group, rg  Terrafying a resource group and the nested resources resides within it
   query               Terrafying a customized scope of resources determined by an Azure Resource Graph where predicate
   mapping-file, map   Terrafying a customized scope of resources determined by the resource mapping file
   help, h             Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help (default: false)
   --version, -v  print the version (default: false)

Error: flag provided but not defined: -subscription-id
PS C:\repos\blankstate\aztfy> 
PS C:\repos\blankstate\aztfy> az account show --query id
"guid-of-my-subscription"
PS C:\repos\blankstate\aztfy> 

I am not using any environment variables for subscription ID since I switch between subscriptions and tenants fairly frequently. Not to sound rude but it seems like the -s command line option you're asking me to run simply doesn't exist in aztfy; it's nowhere in the documentation and as you can see it isn't working when used.

@magodo
Copy link
Collaborator

magodo commented Nov 4, 2022

@MohnJadden This option is behind the subcommand, type aztfy rg -h to see all the options. It would be something like aztfy rg --subscription-id <guid> <rg-name>.

@MohnJadden
Copy link
Author

No luck. Running aztfy rg --subscription-id mysubscriptionGUID Resource-Group-Name throws the same BadRequest error.

@magodo
Copy link
Collaborator

magodo commented Nov 7, 2022

@MohnJadden The error message: "There must be at least one subscription that is eligible to contain resources. Given: ''." indicated that the subscription id you've specified is an empty string. Did you specify a string literal as mysubscriptionGUID, or is doing some variable expansion for mysubscriptionGUID?

@MohnJadden
Copy link
Author

I literally specified the GUID of the subscription in question - aztfy rg --subscription-id aaaaa-bbbbb-ccccc-ddddd Resource-Group-Name

@chughesvf
Copy link

chughesvf commented Nov 17, 2022

Im having the same issue on a brand new deployed win 11, with aztfy, specifying subscription id and RG name. I am able to query the resources in this RG using az cli in the same console. The below error occurs right after listing azure resources. i have tried logging out and logging back in the az cli as well as rebooting the machine. I can list the resources in the cli without any issue

`
listing resource set: executing ARG query "Resources | where resourceGroup =~ "DEV-000072-RG" | order by id desc":
POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources

RESPONSE 403: 403 Forbidden
ERROR CODE: AccessDenied

{
"error": {
"code": "AccessDenied",
"message": "Please provide below info when asking for support: timestamp = 2022-11-17T19:01:54.0190377Z,
correlationId = 1ef6d4af-4c10-45d8-ad68-c9ec2ccf3f56.",
"details": [
{
"code": "AccessDenied",
"message": "Access is denied to the requested resource. The user might not have enough permission."
}
]
}
}

`

The correlationid also is not found in Azure, so its failing somewhere else I presume ( following returns null ):

get-azlog -CorrelationId 1ef6d4af-4c10-45d8-ad68-c9ec2ccf3f56

@chughesvf
Copy link

Im having the same issue on a brand new deployed win 11, with aztfy, specifying subscription id and RG name. I am able to query the resources in this RG using az cli in the same console. The below error occurs right after listing azure resources. i have tried logging out and logging back in the az cli as well as rebooting the machine. I can list the resources in the cli without any issue

`

listing resource set: executing ARG query "Resources | where resourceGroup =~ "DEV-000072-RG" | order by id desc":
POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources

RESPONSE 403: 403 Forbidden

ERROR CODE: AccessDenied

{

"error": {
"code": "AccessDenied",
"message": "Please provide below info when asking for support: timestamp = 2022-11-17T19:01:54.0190377Z,
correlationId = 1ef6d4af-4c10-45d8-ad68-c9ec2ccf3f56.",
"details": [
{
"code": "AccessDenied",
"message": "Access is denied to the requested resource. The user might not have enough permission."
}
]
}
}

`

The correlationid also is not found in Azure, so its failing somewhere else I presume ( following returns null ):

get-azlog -CorrelationId 1ef6d4af-4c10-45d8-ad68-c9ec2ccf3f56

interestingly enough I was able to do this on another machine (windows 10) without the login failure. On the suspect machine, there is nothing special other than its Windows11 and brand new. This machine is in Azure, not sure that would make a difference though.

I am able to use az cli and terraform on the suspect machine without any issue.

@MohnJadden
Copy link
Author

I'm also still running into the 400 error even when I try different permutations of quotation marks, subscription names, etc. I've also used az login --t to specify the tenant ID where my account lives - no help. Still shows NoValidSubscriptionsInQueryRequest, even though I've used az account set for both the friendly name and GUID. Seems like it's just fundamentally broken for this environment.

Interestingly enough, I do not have the issue if I just use it against one resource. I get taken to the aztfy interface as normal.

@magodo
Copy link
Collaborator

magodo commented Dec 7, 2022

@chughesvf That is because the active subscription of azure cli is not the one you specified when running aztfy, please use az account set -s "your-sub-id".

@MohnJadden I think the way how subscription is passed to aztfy has some issue. In the main branch, we've added log, where it will log the config (that contains the subscription passed in) in the first statement. So would you mind to use the main branch and run it with option --log-level DEBUG --log-path=<path2log>, and check the log to see what subscription id is actually passed in?

@MohnJadden
Copy link
Author

Is the main branch equivalent to 0.9.0? If so, I upgraded to 0.9.0 and ranaztfy --log-level DEBUG --log-path log.txt rg MyRGNameand received an error: flag provided but not defined: -log-level

@magodo
Copy link
Collaborator

magodo commented Dec 8, 2022

@MohnJadden No, you'll need to have Go toolchain installed and run go install github.com/Azure/aztfy@main to get the latest one.

@jjtynan
Copy link

jjtynan commented Dec 20, 2022

I also get a 400 error as outlined above on ver 0.8.0 and 0.9.0, suggestion that there is nothing populated as a subscription ID...

     "details": [
        {
          "code": "NoValidSubscriptionsInQueryRequest",
          "message": "There must be at least one subscription that is eligible to contain resources. Given: ''."
        }

command used :
./aztfy resource-group --subscription-id <GUID SUBSCRIPTION_ID> <resource group name>

Also defined environment variables to test ( [$AZTFY_SUBSCRIPTION_ID, $ARM_SUBSCRIPTION_ID] )
did not help.

I can see my subscription ID set as default in the command help but...

./aztfy rg -h
--subscription-id value, -s value                  The subscription id (default: "xxxxxxxx-aaaa-bbbb-cccc-yyyyyyyyyyyy") [$AZTFY_SUBSCRIPTION_ID, $ARM_SUBSCRIPTION_ID]

and when I issues the command with just a resource group name :

./aztfy myRG
No help topic for 'myRG'

@magodo
Copy link
Collaborator

magodo commented Jan 3, 2023

@MohnJadden and @jjtynan That probably indicates the default account set by az cli, hence the generated access token is not eligible to access the resource group you've specified. Please ensure the account has the correct permission to do so.

@Flightdeck73
Copy link

aztfy version v0.10.0(397dc69)

Where are we on this? im having the same issues on windows 11 running: aztfy resource-group --subscription-id subID rgName
I am def logged in and can see the current sub with the az account show..

Also when i execute the command in PowerShell it doesn't look like its processed in the same ps scope.. wonder if thats the issue

@magodo
Copy link
Collaborator

magodo commented Mar 14, 2023

@Flightdeck73 Could you please provide the debug log via aztfy rg --log-level DEBUG --log-path log.txt --subscription-id subID rgName? Also, could you please elaborate more about Also when i execute the command in PowerShell it doesn't look like its processed in the same ps scope?

@Flightdeck73
Copy link

Flightdeck73 commented Mar 14, 2023

aztfy rg --log-level DEBUG --log-path log.txt --subscription-id subID rgName

listing resource set: executing ARG query "Resources | where resourceGroup =~ "someRGname" | order by id desc": DefaultAzureCredential:
failed to acquire a token.
Attempted credentials:
EnvironmentCredential: missing environment variable AZURE_TENANT_ID
ManagedIdentityCredential: IMDS token request timed out

Also, could you please elaborate more about Also when i execute the command in PowerShell it doesn't look like its processed in the same ps scope?

  • in PowerShell 7, When i execute aztfy rg someRGname
  • Azure Terrafy [dot thing] Initializing.. is shown then the NoValidSubscriptionsInQueryRequest error
  • I have to control+C to get back to the PowerShell prompt, all the aztfy output is gone

288

fyi we are using AzureUSGovernment

@magodo
Copy link
Collaborator

magodo commented Mar 15, 2023

@Flightdeck73 Thank you for providing the crucial fact that you are using usgov. Currently, to use a cloud other than public, you'll have to specify that via env var ARM_ENVIRONMENT (i.e. export ARM_ENVIRONMENT=usgovernment). I've submit a PR #378 to introduce a new option --env to make it more discoverable for users.

@sweanan
Copy link

sweanan commented Apr 5, 2023

@magodo Thank you for the fix, Can you please update the document with this new option? I encountered the same issue and had to trace this chain to get the solution working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
permission question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants