Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use @azure/arm-resources in dogfood #24764

Closed
1 of 6 tasks
emoranchel opened this issue Feb 7, 2023 · 5 comments
Closed
1 of 6 tasks

Cannot use @azure/arm-resources in dogfood #24764

emoranchel opened this issue Feb 7, 2023 · 5 comments
Assignees
@MaryGao @qiaozha
Labels
ARM Mgmt This issue is related to a management-plane library. needs-author-feedback Workflow: More information is needed from author to address the issue.

Comments

@emoranchel
Copy link

  • Package Name: @azure/arm-resources
  • Package Version: 5.1.0
  • Operating system: Win11
  • nodejs
    • version: 16.15.0
  • browser
    • name/version:
  • typescript
    • version:
  • Is the bug related to documentation in

Describe the bug
Hi I am trying to use the @azure/arm-resources nodeJS library to connect to dogfood but I am encountering an error. my code to connect is:

import { UsernamePasswordCredential } from '@azure/identity';
import { ResourceManagementClient } from '@azure/arm-resources';

...

  let credential = new UsernamePasswordCredential(configuration.tenantId, CLIENT_ID, username, password, {
    authorityHost: 'https://login.windows-ppe.net'
  });
  return new ResourceManagementClient(credential, configuration.subscriptionId, {
    endpoint: 'https://api-dogfood.resources.windows-int.net'
  });

But I am getting an error:

RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.
      at handleErrorResponse (node_modules\@azure\core-client\dist\index.js:1305:19)
      at deserializeResponseBody (node_modules\@azure\core-client\dist\index.js:1240:45)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)

And the full log:

azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : @azure/msal-node@1.14.6 : Info - getTokenCache called
azure:identity:info UsernamePasswordCredential => More than one account was found authenticated for this Client ID and Tenant ID.
However, no "authenticationRecord" has been provided for this credential,
therefore we're unable to pick between these accounts.
A new login attempt will be requested, to ensure the correct account is picked.
To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.
azure:identity:info UsernamePasswordCredential => Silent authentication failed, falling back to interactive method.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : [b6b044e9-6de4-47b3-8800-bcc37923a8b0] : @azure/msal-node@1.14.6 : Info - acquireTokenByUsernamePassword called
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 898584e8-b5c1-4770-b291-5a88c3dc72b0
azure:core-rest-pipeline:info Request: {
  "url": "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED",
  "headers": {
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "898584e8-b5c1-4770-b291-5a88c3dc72b0"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "898584e8-b5c1-4770-b291-5a88c3dc72b0",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "max-age=86400, private",
  "content-type": "application/json; charset=utf-8",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "access-control-allow-origin": "*",
  "access-control-allow-methods": "GET, OPTIONS",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "5879d439-fe23-453a-a239-78abbade4d00",
  "x-ms-ests-server": "2.1.14526.6 - EUS ProdSlices",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AvoxB5bwAwpCkFVFPB8bO00; expires=Thu, 09-Mar-2023 18:39:14 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:14 GMT",
  "content-length": "976"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 898584e8-b5c1-4770-b291-5a88c3dc72b0
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 warning: [Tue, 07 Feb 2023 18:39:15 GMT] : @azure/msal-node@1.14.6 : Warning - The developer's authority was not found within the CloudInstanceDiscoveryMetadata returned from the network request.
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 0985e1c6-66e7-4aff-99b0-63481de21622
azure:core-rest-pipeline:info Request: {
  "url": "https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72/v2.0/.well-known/openid-configuration",
  "headers": {
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "0985e1c6-66e7-4aff-99b0-63481de21622"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "0985e1c6-66e7-4aff-99b0-63481de21622",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "max-age=86400, private",
  "content-type": "application/json; charset=utf-8",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "access-control-allow-origin": "*",
  "access-control-allow-methods": "GET, OPTIONS",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "5db14661-4574-4838-ad74-95737b830000",
  "x-ms-ests-server": "2.1.14748.0 - CHY PPE",
  "x-ms-httpver": "1.1",
  "x-xss-protection": "0",
  "set-cookie": "fpc=ApQ0tNa-5OVLnDOjpG-8Lk4; expires=Thu, 09-Mar-2023 18:39:15 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:14 GMT",
  "content-length": "1737"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 0985e1c6-66e7-4aff-99b0-63481de21622
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : [b6b044e9-6de4-47b3-8800-bcc37923a8b0] : @azure/msal-common@9.1.1 : Info - in acquireToken call in username-password client
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 5e75231b-a8fc-421e-a624-92cddba638fc
azure:core-rest-pipeline:info Request: {
  "url": "https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72/oauth2/v2.0/token",
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=utf-8",
    "x-anchormailbox": "REDACTED",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "5e75231b-a8fc-421e-a624-92cddba638fc"
  },
  "method": "POST",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "5e75231b-a8fc-421e-a624-92cddba638fc",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-store, no-cache",
  "pragma": "no-cache",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "4bc75c54-4527-4bbf-86bb-e3bf1bba0000",
  "x-ms-ests-server": "2.1.14748.0 - CHY PPE",
  "x-ms-clitelem": "1,0,0,,",
  "x-ms-httpver": "1.1",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AvPPELC5lMFImdiNWwV6QeX29gDKAQAAANKRdNsOAAAA; expires=Thu, 09-Mar-2023 18:39:15 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:15 GMT",
  "content-length": "4334"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 5e75231b-a8fc-421e-a624-92cddba638fc
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => getToken() => SUCCESS. Scopes: https://api-dogfood.resources.windows-int.net/.default.
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request c2cebdd4-4d8e-433e-877a-4723491b5f01
azure:core-rest-pipeline:info Request: {
  "url": "https://api-dogfood.resources.windows-int.net/subscriptions/3172c3ba-8f32-43e1-bf66-c6231cbfb5ca/resourcegroups/resourceGroupName?api-version=2021-04-01",
  "headers": {
    "accept": "application/json",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-arm-resources/5.1.0 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "c2cebdd4-4d8e-433e-877a-4723491b5f01",
    "authorization": "REDACTED"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "streamResponseStatusCodes": {},
  "withCredentials": false,
  "requestId": "c2cebdd4-4d8e-433e-877a-4723491b5f01",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 401
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-cache",
  "pragma": "no-cache",
  "content-length": "381",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "www-authenticate": "Bearer authorization_uri=\"https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72\", error=\"invalid_token\", error_description=\"The access token is from wrong audience or resource.\"",
  "x-ms-failure-cause": "gateway",
  "x-ms-request-id": "f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "x-ms-correlation-request-id": "f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "x-ms-routing-request-id": "CENTRALUS:20230207T183916Z:f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "x-cache": "CONFIG_NOCACHE",
  "x-msedge-ref": "Ref A: 88C0B388C5FB48E7A8FCD39D2DB5EF93 Ref B: WSTEDGE0505 Ref C: 2023-02-07T18:39:16Z",
  "date": "Tue, 07 Feb 2023 18:39:15 GMT"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request c2cebdd4-4d8e-433e-877a-4723491b5f01
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:core-rest-pipeline:info The WWW-Authenticate header was missing the necessary "claims" to perform the Continuous Access Evaluation authentication flow.

To Reproduce
Steps to reproduce the behavior:

try to use:

import { UsernamePasswordCredential } from '@azure/identity';
import { ResourceManagementClient } from '@azure/arm-resources';

...

  let credential = new UsernamePasswordCredential(configuration.tenantId, CLIENT_ID, username, password, {
    authorityHost: 'https://login.windows-ppe.net'
  });
  return new ResourceManagementClient(credential, configuration.subscriptionId, {
    endpoint: 'https://api-dogfood.resources.windows-int.net'
  });

To connect and get resources.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 7, 2023
@xirzec xirzec added Mgmt This issue is related to a management-plane library. ARM labels Feb 7, 2023
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 7, 2023
@qiaozha
Copy link
Member

qiaozha commented Feb 8, 2023

synced offline, for dogfood enviroment, the credentialScope is not ${endpoint}/.default which is our current logic for default credentialScopes when endpoint is set. you can try to set credentialScope as "https://management.azure.com/.default" when create the client in dogfood environment to make it work.

    const resourcesClient = new ResourceManagementClient(credential, subscriptionId, {
        endpoint: 'https://api-dogfood.resources.windows-int.net',
        credentialScopes: ["https://management.azure.com/.default"]
    });

@MaryGao MaryGao added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Feb 22, 2023
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Mar 1, 2023
@ghost
Copy link

ghost commented Mar 1, 2023

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Mar 16, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Jun 14, 2023
@qiaozha qiaozha reopened this Jul 6, 2023
@MaryGao
Copy link
Member

MaryGao commented Jul 12, 2023
edited
Loading

The error happened again with latest identity. This is the log:

 RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences '[https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.](https://management.core.windows.net/%27,%27https://management.core.windows.net%27,%27https://management.azure.com/%27,%27https://management.azure.com%27.)
  at handleErrorResponse (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1305:19)
  at deserializeResponseBody (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1240:45)
  at runMicrotasks (<anonymous>)
  at processTicksAndRejections (node:internal/process/task_queues:96:5)

@github-actions github-actions bot removed the no-recent-activity There has been no recent activity on this issue. label Jul 12, 2023
@MaryGao
Copy link
Member

MaryGao commented Jul 13, 2023

The error happened again with latest identity. This is the log:

 RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences '[https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.](https://management.core.windows.net/%27,%27https://management.core.windows.net%27,%27https://management.azure.com/%27,%27https://management.azure.com%27.)
  at handleErrorResponse (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1305:19)
  at deserializeResponseBody (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1240:45)
  at runMicrotasks (<anonymous>)
  at processTicksAndRejections (node:internal/process/task_queues:96:5)

Offline confirmed this was resolved by manually adding the credentialScopes as "https://management.azure.com/.default"

@MaryGao
Copy link
Member

MaryGao commented Jul 13, 2023

Close as it resolved.

@MaryGao MaryGao closed this as completed Jul 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@MaryGao MaryGao

@qiaozha qiaozha

Labels
ARM Mgmt This issue is related to a management-plane library. needs-author-feedback Workflow: More information is needed from author to address the issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xirzec @emoranchel @MaryGao @qiaozha