Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging in to the Azure CLI does not provide access to az devops commands as expected #1258

Open
mdekrey opened this issue Mar 7, 2022 · 13 comments
Open

Logging in to the Azure CLI does not provide access to az devops commands as expected #1258

mdekrey opened this issue Mar 7, 2022 · 13 comments

Comments

@mdekrey
Copy link

mdekrey commented Mar 7, 2022

Logging in to the Azure CLI does not provide access to az devops commands as expected

Command Name
az devops project list
(Extension Name: azure-devops. Version: 0.23.0.)

Errors:

Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials.  Please see https://aka.ms/azure-devops-cli-auth for more information.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Log into the Azure cli using az login
  • az devops project list

Expected Behavior

A list of projects in my devops organizations should be presented.

Environment Summary

Windows-10-10.0.22000-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.34.1

Extensions:
azure-devops 0.23.0

Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0

Additional Context

The link in the error message does not provide further information on using az login for using AAD/MSA identity.
@jikuja
Copy link
Contributor

jikuja commented Jul 15, 2022

I've had similar issues.

One cause for this is https://github.com/Azure/azure-devops-cli-extension/blob/master/azure-devops/azext_devops/dev/common/services.py#L165 hiding issues with token fetch. Exceptions are logged only with debug level.

Other minor issue with the selection of default subscription. The code does not work ATM at all. PR coming soon.

@tharwan
Copy link

tharwan commented Sep 12, 2022

any workaround for this?

@jikuja
Copy link
Contributor

jikuja commented Sep 12, 2022
edited
Loading

If i remember correctly using az login --tenant <guid> should fix most of the issues:

  • makes sure you are have tokens for tenant you want to use
  • goes through MFA if needed

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

@v-soujanya
Copy link
Collaborator

Hi @mdekrey, Please find the below analysis for az login and az devops project list

  1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
  2. az devops project list : Please provide PAT token then you can see the project list.

@tharwan
Copy link

tharwan commented Sep 15, 2022

If i remember correctly using az login --tenant <guid> should fix most of the issues:

  • makes sure you are have tokens for tenant you want to use
  • goes through MFA if needed

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

does not work for me

@jikuja
Copy link
Contributor

jikuja commented Sep 15, 2022

Hi @mdekrey, Please find the below analysis for az login and az devops project list

  1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
  2. az devops project list : Please provide PAT token then you can see the project list.

Not really true

  1. AZ CLI does not use Azure portal
  2. AZ ADO extension (does/)should not use subscription information by default
    a. Subscription information is only used if e.g. adding service connection to subscription
  3. Azure Devops can be used without subscriptions
    a. That kind of limitation would not make any sense. It would block all workload that are not specific for Azure workloads
    b. az login --allow-no-subscriptions - this will create dummy subscription on AZ CLI internal data structures

Current AAD token authentication in this extension is really buggy by hiding information and error from user and should be rewritten. (Issue describing the problems coming soon)

@jikuja jikuja mentioned this issue Sep 15, 2022
Open
@v-soujanya
Copy link
Collaborator

@mdekrey, we recently started working on the CLI service and we have checked the code if you have Azure active Directory/Microsoft account (AAD/MSA) you can see the "az devops project list" output by using "az login" otherwise you need to use "az devops login" (provide PAT) to see the "az devops project list".

@tharwan
Copy link

tharwan commented Oct 13, 2022

fixed for me in the current version

@ceciliasharp
Copy link

Updating Azure CLI fixes the problem.
Run: "az upgrade"

@jikuja
Copy link
Contributor

jikuja commented Dec 5, 2022

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

Extension authentication is buggy(1)(2) and badly documented:

  • does not mention you need to use az login --tenant <guid> with B2B guest accounts
  • does not mention that running az account set -n <subscription> would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392

(1) b3d0392 no new release after the commit
(2) #1298

@ceciliasharp
Copy link

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

Extension authentication is buggy(1)(2) and badly documented:

  • does not mention you need to use az login --tenant <guid> with B2B guest accounts
  • does not mention that running az account set -n <subscription> would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392

(1) b3d0392 no new release after the commit (2) #1298

I'm sorry but that information is gone... But I'm guessing that I have been running on the same version for some years now. But did now setup the option of auto-upgrade that the upgrade hinted about so now I will stay up-to-date :-)

@housten
Copy link

housten commented Oct 24, 2024

Spent all day on this till I stumbled upon this related issue

Ensure you run AZ Login through an elevated prompt the first time as it tries to install the Python keyring package!

@jikuja
Copy link
Contributor

jikuja commented Oct 25, 2024

This might be the best way to authenticate with devsops extension:

Connect-AzAccount -tenant "xxxx" -Scope Process -DeviceAuth
$Env:AZURE_DEVOPS_EXT_PAT = (Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798").Token

# check your login
az devops project show --org "$ORG" -p "$PROJECT"
  1. Yes, I mostly use Az Powershell because of the tenant/subscription selection on CLI is just awful
  2. Using AZURE_DEVOPS_EXT_PAT environment variable makes devops extension to skip most of the authz logic
  3. Az CLI has it's own commands to fetch authentication token so powershell is not needed: az account get-access-token
  4. For Powershell -SkipContextPopulation might be good for login
  5. For Az CLI --allow-no-subscriptions might be good for login

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mdekrey @jikuja @tharwan @ceciliasharp @housten @v-soujanya