Azure CLI will currently *always* cause AzureCliCredential to fail on Python/MacOS/Homebrew using secret-client.

[furnivall]

Describe the bug

Preface:
This may well be intended behaviour, so I apologise if so. However, I am currently unable to upgrade Azure CLI locally due to Homebrew/homebrew-core#138158 & #27047 so I did a bit of digging.
I'll also raise a sister issue on azure-sdk-for-python so they're aware of it too.

Description:
DefaultAzureCredential runs through a bunch of options, including AzureCliCredential.

When it reaches this line within AzureCliCredential, it will always fail the timeout with an outdated software version.

This is because the cli prompt returned by az account get-access-token --output json --resource <whatever> embedded within that file will always return the following, which requires a user response to complete.

New Azure CLI version available. Running 'az upgrade' to update automatically.
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.50.0. Latest version available is 2.51.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli
Do you want to continue? (Y/n):

Steps to reproduce:
I have been able to confirm this on a minimal reproduction here. It will require the replacement of some env vars:

• Replace key_vault_url and secret_name within x/function_app.py with some legitimate values.
• Use func start to start
• Optionally, attach a debugger of your choice to the process and watch the call to return subprocess.check_output(args, **kwargs) venv/lib/python3.10/site-packages/azure/identity/_credentials/azure_cli.py - github link to specific line
• Run curl http://localhost:7071/api/hello to trigger the http function
• Read your logs for the following string: AzureCliCredential: Failed to invoke the Azure CLI

Related command

All azure commands that trigger an update notification, but specifically az account get-access-token --output json --resource <whatever> in this instance

Errors

Executing 'Functions.AzureTrigger' (Reason='This function was programmatically called via the host APIs.', Id=df95b1b4-cdce-4775-abe4-71e6f6cab282)
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:

EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
*AzureCliCredential: Failed to invoke the Azure CLI*
AzurePowerShellCredential: Az.Account module >= 2.2.0 is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Executed 'Functions.AzureTrigger' (Failed, Id=df95b1b4-cdce-4775-abe4-71e6f6cab282, Duration=57068ms)
System.Private.CoreLib: Exception while executing function: Functions.AzureTrigger. System.Private.CoreLib: Result: Failure
Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Failed to invoke the Azure CLI
AzurePowerShellCredential: Az.Account module >= 2.2.0 is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

Issue script & Debug output

N/A, description covers it.

Expected behavior

Auth token to be generated as standard.

Environment Summary

azure-cli                         2.50.0 *

core                              2.50.0 *
telemetry                          1.0.8 *

Extensions:
ssh                                2.0.0

Dependencies:
msal                              1.22.0
azure-mgmt-resource             23.1.0b2

Python location '/usr/local/Cellar/azure-cli/2.50.0_1/libexec/bin/python'
Extensions directory '/Users/daniel.furnivall/.azure/cliextensions'

Python (Darwin) 3.10.12 (main, Jun 20 2023, 17:00:24) [Clang 14.0.3 (clang-1403.0.22.14.1)]

Legal docs and information: aka.ms/AzureCliLegal


You have 3 update(s) available. Consider updating your CLI installation with 'az upgrade'
New Azure CLI version available. Running 'az upgrade' to update automatically.
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.50.0. Latest version available is 2.51.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli

Additional context

I am fairly certain this won't just be hitting the python sdk, and definitely not just function apps.

[azure-client-tools-bot-prd]

Hi @furnivall,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[furnivall]

Thank you for opening this issue, we will look into it.

No problem, if you need anything specific about my setup I am happy to provide. Just spent the day bashing my head against the computer to work out why I wasn't able to connect keyvault to my local environment!

[furnivall]

Here's a screenshot of the relevant debugging output

[furnivall]

Hi @furnivall,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

Also, your bot is broken - it's physically impossible for MacOS users with Homebrew to upgrade to this version at current. No idea where to raise a bug ticket but might be worth doing something about.

edit: scratch that, have raised #27112

[jiasli]

I'll also raise a sister issue on azure-sdk-for-python so they're aware of it too.

I believe you are talking about Azure/azure-sdk-for-python#31493

You are seeing the New Azure CLI version available. Running 'az upgrade' to update automatically. warning because you have enabled Automatic Update. You may turn it off following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli

az config set auto-upgrade.enable=no

See #17886 (comment)

[jiasli]

Azure CLI's Automatic Update is indeed guarded by a verify_is_a_tty check:

azure-cli/src/azure-cli/azure/cli/__main__.py

Lines 97 to 104 in 2c3f5e0

	try:
	verify_is_a_tty()
	except NoTTYException:
	az_upgrade_run = False
	err_msg = "Unable to prompt for auto upgrade as no tty available. " \
	"Run 'az config set auto-upgrade.prompt=no' to allow auto upgrade with no prompt."
	logger.warning(err_msg)
	telemetry.set_exception(UnclassifiedUserFault(err_msg), fault_type='auto-upgrade-failed')

When Python SDK subprocesses az, it connects the stdin of itself to the subprocess az:

https://github.com/Azure/azure-sdk-for-python/blob/c4c18a7b427633c0519016d762dc141ae743e41b/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py#L188-L195

        kwargs: Dict[str, Any] = {
            "stderr": subprocess.PIPE,
            "cwd": working_directory,
            "universal_newlines": True,
            "timeout": timeout,
            "env": dict(os.environ, AZURE_CORE_NO_COLOR="true"),
        }
        return subprocess.check_output(args, **kwargs)

https://docs.python.org/3/library/subprocess.html#frequently-used-arguments

stdin, stdout and stderr: With the default settings of None, no redirection will occur; the child’s file handles will be inherited from the parent.

See #17886 (comment)