Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure OIDC login fails in Github Actions #22628

Closed
v2kiran opened this issue Aug 22, 2023 · 8 comments · Fixed by #25733
Closed

Azure OIDC login fails in Github Actions #22628

v2kiran opened this issue Aug 22, 2023 · 8 comments · Fixed by #25733
Assignees
@YanaXu
Labels
Authentication Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. Investigate 🔍 needs-team-attention This issue needs attention from Azure service team or SDK team Tracking We will track status and follow internally

Comments

@v2kiran
Copy link

v2kiran commented Aug 22, 2023

Description

the following fails:

            Disable-AzContextAutosave -Scope Process
              Connect-azaccount -TenantId ${{ env.ARM_TENANT_ID }} -ApplicationId ${{ env.ARM_CLIENT_ID }} -federatedtoken $GitToken -ServicePrincipal -erroraction stop

Issue script & Debug output

DEBUG: Initializing ConditionalAssemblyContext. PSEdition is [Core]. PSVersion is [7.3.6].
DEBUG: Initializing ConditionalAssemblyProvider. AssemblyRootPath is [/usr/local/share/powershell/Modules/Az.Accounts/2.12.5/StartupScripts/../lib].
DEBUG: Registering Az shared AssemblyLoadContext.
DEBUG: AssemblyLoadContext registered.
DEBUG: Got version 0 of Az
DEBUG: Got version 0 of Az.Accounts
DEBUG: 17:26:27 - DisableAzureRmContextAutosave begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Setting Autosave scope to 'Process' as specified in the cmdlet parameters.
DEBUG: 17:26:27 - Using Autosave scope 'Process'

Mode             : Process
ContextDirectory : 
ContextFile      : 
CacheDirectory   : 
CacheFile        : 
KeyStoreFile     : 
Settings         : {}

DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Disable-AzContextAutosave; PSVersion: 7.3.6; IsSuccess: True; Duration: 00:00:00.4122006
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - DisableAzureRmContextAutosave end processing.
DEBUG: 17:26:27 - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ClientAssertionParameterSet'.
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - Autosave setting from startup session: 'Process'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Using Autosave scope 'Process'
DEBUG: 17:26:27 - Autosave setting from startup session: 'Process'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Using Autosave scope 'Process'
DEBUG: 17:26:27 - [ClientAssertionAuthenticator] Calling ClientAssertionCredential.GetTokenAsync - ClientId:'***', TenantId:'***', ClientAssertion:'***' Scopes:'https://management.core.windows.net//.default'
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Linux 5.10.102.2-microsoft-standard #1 SMP Mon M…
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Name              : Az.Accounts
Path              : /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Az.A
                    ccounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management
                     cmdlets for Azure Resource Manager in Windows PowerShell a
                    nd PowerShell Core.
                    
                    For more information on account credential management, plea
                    se visit the following: https://learn.microsoft.com/powersh
                    ell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.12.5
ModuleBase        : /usr/local/share/powershell/Modules/Az.Accounts/2.12.5
ModuleType        : Script
PrivateData       : {[PSData, System.Collections.Hashtable]}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomai
                    n], [Invoke-AzRest, Invoke-AzRest], [Login-AzAccount, Login
                    -AzAccount]…}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, C
                    lear-AzConfig], [Clear-AzContext, Clear-AzContext], [Clear-
                    AzDefault, Clear-AzDefault]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

DEBUG: 17:26:28 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 17:26:28 - using account id '***'...
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
InnerException   : False
Exception        : System.ArgumentNullException: Persistence check failed. Insp
                   ect inner exception for details
                   Could not find tenant id for provided tenant domain 'e6f7641
                   c-0828-43ab-a963-69cae0d256a4'. 
                    ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePer
                   sistenceException: Persistence check failed. Inspect inner e
                   xception for details
                    ---> System.DllNotFoundException: Unable to load shared lib
                   rary 'libsecret-1.so.0' or one of its dependencies. In order
                    to help diagnose loading problems, consider using a tool li
                   ke strace. If you're using glibc, consider setting the LD_DE
                   BUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory
                   
                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      --- End of inner exception stack trace ---
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      --- End of inner exception stack trace ---
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                      at System.Threading.Tasks.Task`1.InnerInvoke()
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                   --- End of stack trace from previous location ---
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                      at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Tas
                   k& currentTaskSlot, Thread threadPoolThread)
                   --- End of stack trace from previous location ---
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_1.<ExecuteCmdlet>b__1(AzureRmPr
                   ofile localProfile, RMProfileClient profileClient, String na
                   me)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass136_0.<SetContextWithOverwritePromp
                   t>b__0(AzureRmProfile prof, RMProfileClient client)
                      at Microsoft.Azure.Commands.Profile.Common.AzureContextMo
                   dificationCmdlet.ModifyContext(Action`2 contextAction)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.SetContextWithOverwritePrompt(Action`3 setContextAct
                   ion)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.ExecuteCmdlet()
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c
                   )
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`
                   1 executor)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Azure
                   PSCmdlet.ProcessRecord()
Message          : Persistence check failed. Inspect inner exception for detail
                   s
                   Could not find tenant id for provided tenant domain 'e6f7641
                   c-0828-43ab-a963-69cae0d256a4'. 
StackTrace       :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                      at System.Threading.Tasks.Task`1.InnerInvoke()
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                   --- End of stack trace from previous location ---
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                      at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Tas
                   k& currentTaskSlot, Thread threadPoolThread)
                   --- End of stack trace from previous location ---
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_1.<ExecuteCmdlet>b__1(AzureRmPr
                   ofile localProfile, RMProfileClient profileClient, String na
                   me)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass136_0.<SetContextWithOverwritePromp
                   t>b__0(AzureRmProfile prof, RMProfileClient client)
                      at Microsoft.Azure.Commands.Profile.Common.AzureContextMo
                   dificationCmdlet.ModifyContext(Action`2 contextAction)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.SetContextWithOverwritePrompt(Action`3 setContextAct
                   ion)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.ExecuteCmdlet()
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c
                   )
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`
                   1 executor)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Azure
                   PSCmdlet.ProcessRecord()
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1

InnerException   : False
Exception        : Microsoft.Identity.Client.Extensions.Msal.MsalCachePersisten
                   ceException: Persistence check failed. Inspect inner excepti
                   on for details
                    ---> System.DllNotFoundException: Unable to load shared lib
                   rary 'libsecret-1.so.0' or one of its dependencies. In order
                    to help diagnose loading problems, consider using a tool li
                   ke strace. If you're using glibc, consider setting the LD_DE
                   BUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory
                   
                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      --- End of inner exception stack trace ---
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
Message          : Persistence check failed. Inspect inner exception for detail
                   s
StackTrace       :    at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1

InnerException   : False
Exception        : System.DllNotFoundException: Unable to load shared library '
                   libsecret-1.so.0' or one of its dependencies. In order to he
                   lp diagnose loading problems, consider using a tool like str
                   ace. If you're using glibc, consider setting the LD_DEBUG en
                   vironment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory
                   
                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
Message          : Unable to load shared library 'libsecret-1.so.0' or one of i
                   ts dependencies. In order to help diagnose loading problems,
                    consider using a tool like strace. If you're using glibc, c
                   onsider setting the LD_DEBUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory
                   
StackTrace       :    at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1



DEBUG: 17:26:28 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Resolve-AzError; PSVersion: 7.3.6; IsSuccess: True; Duration: 00:00:00.1913811
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:28 - ResolveError end processing.
@v2kiran v2kiran added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Aug 22, 2023
@isra-fel
Copy link
Member

Hey @msJinLei I see "Could not find tenant id for provided tenant domain 'xxx'." in the result of Resolve-AzError (where xxx is a GUID) . Could this be related to the updates we made last sprint about parsing domains?

@isra-fel isra-fel added Azure PS Team Investigate 🔍 Authentication and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Aug 23, 2023
@v2kiran
Copy link
Author

v2kiran commented Sep 15, 2023

Any update on this?

@msJinLei
Copy link
Contributor

Hey @msJinLei I see "Could not find tenant id for provided tenant domain 'xxx'." in the result of Resolve-AzError (where xxx is a GUID) . Could this be related to the updates we made last sprint about parsing domains?

The reported error is
---> System.DllNotFoundException: Unable to load shared lib rary 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider using a tool li ke strace. If you're using glibc, consider setting the LD_DE BUG environment variable:
But no new dependency is added for the latest change.

@v2kiran could you provide information about github action (here is an example #20720) you are using so that we can reproduce your case, thanks

@msJinLei msJinLei added the needs-author-feedback More information is needed from author to address the issue. label Oct 17, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Oct 24, 2023
@v2kiran
Copy link
Author

v2kiran commented Oct 29, 2023

@msJinLei - sure . here is the workflow file:

name: oidc-ps

# Required for OIDC
permissions:
  id-token: write
  contents: read

env:
  ARM_CLIENT_ID:       ${{ secrets.AZURE_CLIENT_ID }}
  ARM_ENVIRONMENT:     public
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  ARM_TENANT_ID:       ${{ secrets.AZURE_TENANT_ID }}
  CLIENT_ID: ${{ secrets.CLIENT_ID }}



on:
  workflow_dispatch:
  push:
    branches:
        - 'main'
        - 'releases/**'
jobs:
  OIDCPSLogin:
    name: Login using PS OIDC
    runs-on: DEV-ACI
    environment:
      name: dev
    steps:
      - uses: actions/checkout@v2

      - name: Login using oidc
        shell: pwsh
        run: |
            $Audience = "api://AzureADTokenExchange"
            $GitToken = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN
            $GitTokenUrl = $env:ACTIONS_ID_TOKEN_REQUEST_URL
            $apiUrl = "{0}&audience={1}" -f $GitTokenUrl, $Audience
            $jwt_tokens = Invoke-RestMethod $apiUrl -Headers @{Authorization = ("bearer {0}" -f $GitToken)}
            Write-Host "GitHub JWT url: $apiUrl"
            Write-Host "GitHub JWT payload:"
            $federatedToken = ($jwt_tokens.Value -split "\.")[1]
            if(($federatedToken.Length % 4) -ne 0) {
              $federatedToken = $federatedToken.PadRight($federatedToken.Length + 4 - ($federatedToken.Length % 4), "=")
            }
            [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($federatedToken)) | convertfrom-json | convertto-json # Pretty print
            Disable-AzContextAutosave -Scope Process
            try
            {
              Connect-azaccount -TenantId ${{ env.ARM_TENANT_ID }} -ApplicationId ${{ env.ARM_CLIENT_ID }} -federatedtoken $GitToken -ServicePrincipal -erroraction stop
            }
            catch{
              get-error -newest 1
              resolve-azerror
              write-verbose "psversiontable"
              $psversiontable | out-string
              write-verbose "az modules"
              get-module az*
            }
      - name: Get secrets - Job__az_oidc_tst__Step-3
        uses: azure/powershell@v1
        with:
          inlineScript: |
            get-azresourcegroup | select -first 1 | out-string
          azPSVersion: "latest"

@microsoft-github-policy-service microsoft-github-policy-service bot added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. labels Oct 29, 2023
@IsaacCalligeros95 IsaacCalligeros95 mentioned this issue Nov 29, 2023
Open
@IsaacCalligeros95
Copy link

We're experiencing this same issue, are there any updates?

@IsaacCalligeros95
Copy link

Any updates on this? Using Disable-AzContextAutosave is a fairly common practice in CI/CD pipelines. We have a number of customers running into this problem and our only recommendation is to downgrade to earlier versions.

@msJinLei msJinLei added the Tracking We will track status and follow internally label Mar 20, 2024
msJinLei added a commit to msJinLei/azure-powershell that referenced this issue Mar 20, 2024
@msJinLei
Disable the token cache for FederationToken login flow if Az.Accounts…
652fad1 
… is set to in memory token cache option

Workaround Azure#22628
@msJinLei msJinLei mentioned this issue Mar 20, 2024
Closed
6 tasks
msJinLei added a commit to msJinLei/azure-powershell that referenced this issue Mar 20, 2024
@msJinLei
Disable the token cache for FederationToken login flow if Az.Accounts…
14ab7ee 
… is set to in memory token cache option

Workaround Azure#22628
@msJinLei
Copy link
Contributor

msJinLei commented Mar 20, 2024
edited
Loading

Root Cause

In client assertion login flow, when token cache option is set to be in memory, the following condition should be hit.

azure-powershell/src/Accounts/Authentication/Identity/TokenCache.cs

Line 90 in a710e74

if (options is UnsafeTokenCacheOptions inMemoryOptions)

The object we passed is inherited from Azure.Identity.UnsafeTokenCacheOptions while the type above is Microsoft.Azure.PowerShell.Authenticators.Identity.UnsafeTokenCacheOptions. That's why the condition is not hit.

The reason we create a new UnsafeTokenCacheOptions in the namespace Microsoft.Azure.PowerShell.Authenticators.Identity is because the assignment cannot be executed if the UnsafeTokenCacheOptions is not in the same package with internal class TokenCache

azure-powershell/src/Accounts/Authentication/Identity/TokenCache.cs

Line 92 in a710e74

TokenCacheUpdatedAsync = inMemoryOptions.TokenCacheUpdatedAsync;

azure-powershell/src/Accounts/Authentication/Identity/TokenCache.cs

Line 93 in a710e74

RefreshCacheFromOptionsAsync = inMemoryOptions.RefreshCacheAsync;

Solution

  • Create additional InMemoryTokenCacheOptions class from Microsoft.Azure.PowerShell.Authenticators.Identity.UnsafeTokenCacheOptions for client assertion flow
  • However additional token cache options class will further complicate the client assertion implementation. The best solution is to drive Azure. Identity to implement ISupportsTokenCachePersistenceOptions for ClientAssertionCredentialOptions so that we can remove all these codes.

Workaround

After PR #24416 is merged

Disable-AzContextAutosave -Scope "Process"
Connect-AzAccount -ServicePrincipal -Tenant $tenantId -ApplicationId $appId -FederatedToken $federatedToken
$token = (Get-AzAccessToken).Token
Disconnect-AzAccount
Connect-AzAccount -AccessToken $token -Tenant $tenantId -AccountId $appId

@isra-fel Please take a look

@msJinLei msJinLei assigned YanaXu and unassigned msJinLei Aug 5, 2024
@msJinLei
Copy link
Contributor

msJinLei commented Aug 5, 2024

The issue will be fixed by #25733
@YanaXu Could you follow this issue? Thanks

@YanaXu YanaXu mentioned this issue Aug 5, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YanaXu YanaXu

Labels
Authentication Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. Investigate 🔍 needs-team-attention This issue needs attention from Azure service team or SDK team Tracking We will track status and follow internally
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Az.Accounts] Remove duplicated code copied from Azure.Identity Azure/azure-powershell
5 participants
@v2kiran @isra-fel @YanaXu @msJinLei @IsaacCalligeros95