Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az acr run fails in Azure Pipelines with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal #20153

Closed
andygjp opened this issue Nov 2, 2021 · 9 comments
Closed

az acr run fails in Azure Pipelines with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal #20153

andygjp opened this issue Nov 2, 2021 · 9 comments
Assignees
@jiasli
Labels
Account az login/account customer-reported Issues that are reported by GitHub users external to the Azure organization. MSAL
Milestone
Jan 2022 (2022-02...

Comments

@andygjp
Copy link

andygjp commented Nov 2, 2021
edited
Loading

Hi,

With version 2.30.0 of the CLI, I'm getting the following error when I run az acr run: "ERROR: Could not retrieve credential from local cache for service principal ***. Run az login for this service principal."

Running az login did not help. I'm running the command inside of Azure Pipeline "ubuntu-latest" hosted agent.

I already had the following script in my pipeline to workaround a previous issue:

sudo apt-get remove azure-cli
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
sudo apt-get update
sudo apt-get install -y azure-cli

Which was installing version 2.30.0 - the version with the problem.

I modified it such that it installed version 2.29.2, like so:

sudo apt-get remove azure-cli
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
sudo apt-get update
sudo apt-get install -y azure-cli=2.29.2-1~focal

And it works again.

Please can someone investigate the issue.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Nov 2, 2021
@Ehsaan-Azizi
Copy link

Hi,

With version 2.30.0 of the CLI, I'm getting the following error when I run az car run: "ERROR: Could not retrieve credential from local cache for service principal ***. Run az login for this service principal."

Running az login did not help. I'm running the command inside of Azure Pipeline "ubuntu-latest" hosted agent.

I already had the following script in my pipeline to workaround a previous issue:

sudo apt-get remove azure-cli
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
sudo apt-get update
sudo apt-get install -y azure-cli

Which was installing version 2.30.0 - the version with the problem.

I modified it such that it installed version 2.29.2, like so:

sudo apt-get remove azure-cli
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
sudo apt-get update
sudo apt-get install -y azure-cli=2.29.2-1~focal

And it works again.

Please can someone investigate the issue.

I’m having the exact same issue when running my workflow in GitHub Actions. A solution will be so helpful as I have bunch of workflow to run.

@Ehsaan-Azizi
Copy link

Following this issue for a solution, hopefully.

@t-dedah
Copy link

t-dedah commented Nov 2, 2021

Facing same issue in Azure/Cli action.
Azure/cli#56

@t-dedah t-dedah mentioned this issue Nov 2, 2021
Closed
@andygjp
Copy link
Author

andygjp commented Nov 2, 2021

Just spotted an auto-correct error with my initial message. The command I'm running is az acr run and not "car".

@jiasli jiasli self-assigned this Nov 3, 2021
@jiasli jiasli changed the title az acr run returns "Could not retrieve credential..." error az acr run fails: Could not retrieve credential from local cache for service principal Nov 3, 2021
@yonzhan yonzhan added Container Registry az acr and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Nov 3, 2021
@yonzhan yonzhan added this to the Backlog milestone Nov 3, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 3, 2021

@jiasli for awareness

@jiasli jiasli changed the title az acr run fails: Could not retrieve credential from local cache for service principal az acr run fails in Azure Pipeline with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal Nov 3, 2021
@jiasli
Copy link
Member

jiasli commented Nov 3, 2021
edited
Loading

Symptom

Azure Pipeline Azure CLI task fails with

ERROR: Could not retrieve credential from local cache for service principal xxx. Run `az login` for this service principal.

Root cause

The root cause is because Azure CLI task still uses the old ADAL-based Azure CLI 2.29.0 to log in.

After the ADAL to MSAL migration (#19853), the latest Azure CLI 2.30.0 is not compatible with previous versions. If 2.30.0 is manually installed on the agent, it can't read the login information generated by 2.29.0. In other words, the az login command and other az commands should be from the same Azure CLI verison.

We can check the installed Azure CLI on the agent with:

# File: azure-pipelines.yaml

resources:
- repo: self

trigger:
  batch: true
  branches:
    include:
    - '*'

pr:
  branches:
    include:
      - '*'

jobs:
- job: TestAzureCLITask
  displayName: Test Azure CLI Task

  pool:
    vmImage: 'ubuntu-latest'
  steps:
  - task: AzureCLI@2
    displayName: Azure CLI
    inputs:
      azureSubscription: service-connection-test1
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        set -vx

        ls ~/.azure
        cat ~/.azure/versionCheck.json
        cat ~/.azure/accessTokens.json

        echo $AZURE_CONFIG_DIR
        ls $AZURE_CONFIG_DIR
        cat $AZURE_CONFIG_DIR/versionCheck.json
        cat $AZURE_CONFIG_DIR/accessTokens.json

        az group list

The output shows accessTokens.json from ADAL-based Azure CLI:

/usr/bin/az --version
azure-cli                         2.29.0 *

+ ls /home/vsts/work/_temp/.azclitask
accessTokens.json

+ cat /home/vsts/work/_temp/.azclitask/versionCheck.json
{"versions": {"azure-cli": {"local": "2.29.0", "pypi": "2.30.0"}, "core": {"local": "2.29.0", "pypi": "2.30.0"}, "telemetry": {"local": "1.0.6", "pypi": "1.0.6"}}, "update_time": "2021-11-03 04:32:48.554798"}

Solution

References

@jiasli jiasli added Account az login/account and removed Container Registry az acr labels Nov 3, 2021
@jiasli jiasli modified the milestones: Backlog, Nov 2021 (2021-12-07) Nov 3, 2021
@jiasli jiasli added the MSAL label Nov 3, 2021
sanfordn added a commit to sanfordn/website-generator that referenced this issue Nov 9, 2021
@sanfordn
Using 2.29.0 because 2.30.0 has breaking change
b535901 
REVERT THIS COMMIT WHEN Azure/azure-cli#20153 IS FIXED
@wfranceys
Copy link

wfranceys commented Nov 12, 2021
edited
Loading

@jiasli

Seeing this issue from azureml as well (apologies if this incorrect place to post),

Summary:

  • In an Azure DevOps pipeline, in an AzureCLI@2 task we are having issues authenticating when using azureml.core.Workspace

Steps to reproduce:

# requirements.txt
azureml.core==1.36.0.post2
azure-cli-core==2.29.0

# main.py
from azureml.core import Run, Workspace
from azureml.core.authentication import AzureCliAuthentication

cli_auth = AzureCliAuthentication()

Workspace(
    subscription_id=subscription_id, 
    resource_group=resource_group,
    workspace_name=workspace_name,
    auth=cli_auth
)

# azure-pipelines.yaml
trigger:
  branches:
    include:
    - '*'

parameters:
  azureSubscription: XXX # replace your own here

stages:
  - stage: StageName
    displayName: StageName
    pool:
      vmImage: windows-latest
    jobs:
      - job: JobName
        displayName: JobName
        steps:

        - task: UsePythonVersion@0
          inputs:
            versionSpec: 3.7.x
            architecture: x64
          displayName: 'Use Python 3.7.x'

        - task: AzureCLI@2
          inputs:
            scriptType: batch
            scriptLocation: inlineScript
            inlineScript: |
              pip install virtualenv
              virtualenv .venv
              call .venv/Scripts/activate.bat
              python -m pip install -v --upgrade pip
              python -m pip install -r requirements.txt
              python main.py
            azureSubscription: ${{ parameters.azureSubscription  }}
          displayName: Auth Workspace

What I expected to see:

  • Successful log-in

What I saw instead:

  • knack.util.CLIError: Could not retrieve credential from local cache for service principal ***. Please run 'az login' for this service principal.

Notes:

  • We are trying to authenticate with azureml.core.Workspace
    • The AzureCLI@2 on Windows MS Hosted Agents on Azure DevOps pipeline is 2.30.0
    • There are known issues [0] of comptaibility between azure-cli-core==2.29.0 and azure-cli=2.30.
    • Ideally we could use azure-cli-core==2.30.0 however we are forced to use azure-cli-core==2.29.0 due to [1]

Questions:

  • For the Windows MS Hosted Agents, in an AzureCLI@2 task, is it possible to set the azure-cli version here, perhaps a pip install would do the trick?

[0] #20153 (comment)
[1] #20150

@wfranceys wfranceys mentioned this issue Nov 12, 2021
Closed
@Phiph Phiph mentioned this issue Nov 15, 2021
Closed
@stan-sz
Copy link
Contributor

stan-sz commented Nov 17, 2021

Is there a way to translate the ADAL login to MSAL login information (and vice versa)? For a transition period we need to coordinate Agent's upgrade with a tool upgrade.

@jiasli
Copy link
Member

jiasli commented Nov 18, 2021

Unfortunately, no. ADAL <-> MSAL token migration was finally rejected by the PM team during MSAL migration (#19853).

@jiasli jiasli changed the title az acr run fails in Azure Pipeline with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal az acr run fails in Azure Pipelines with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal Jan 25, 2022
@jiasli jiasli closed this as completed Jan 25, 2022
@owlleg6 owlleg6 mentioned this issue Jan 26, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account customer-reported Issues that are reported by GitHub users external to the Azure organization. MSAL
Projects
None yet
Milestone
Jan 2022 (2022-02-08)
Development

No branches or pull requests
7 participants
@andygjp @jiasli @wfranceys @stan-sz @yonzhan @t-dedah @Ehsaan-Azizi