search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3k forks source link

AzureCliCredential using AzureChinaCloud gives principal named not found in tenant error using public cloud ARM URL (https://management.azure.com) instead of China ARM (https://management.chinacloudapi.cn) Error 500011 #16696

Open atwoodtja opened 3 years ago

atwoodtja commented 3 years ago

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az account get-access-token

Errors:

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named facd6305-1f26-4b7c-9547-bcdda50f4117. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 1832499a-d3e7-4d3e-92bd-11a774852000\r\nCorrelation ID: 3bc18e3d-f8a8-41fc-856f-a739556f8486\r\nTimestamp: 2021-01-27 20:25:23Z","error_codes":[500011],"timestamp":"2021-01-27 20:25:23Z","trace_id":"1832499a-d3e7-4d3e-92bd-11a774852000","correlation_id":"3bc18e3d-f8a8-41fc-856f-a739556f8486","error_uri":"https://login.chinacloudapi.cn/error?code=500011"}
Traceback (most recent call last):
Temp\pip-unpacked-wheel-pwfpui04\knack\cli.py, ln 233, in invoke
...

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Using code changes for login suggested in https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-sovereign-domain

Expected Behavior

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.18.0

Additional Context

yonzhan commented 3 years ago

account

atwoodtja commented 3 years ago

Ok, I was able to get this working. There are two typos in the credential_scopes examples given for AzureChinaCloud in the page linked in Reproduce steps (https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-sovereign-domain).

The scope needs a / after the host url and should not have a ' at the end.

This works: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + "/.default"]

This does not: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + ".default'"]

The argument needs to be used for any auth *Client (ResourceManagementClient, ComputeManagementClient, NetworkManagementClient, StorageManagementClient, etc).

jiasli commented 3 years ago

@atwoodtja, thanks for reporting this issue. You have identified the root cause precisely.

Azure CLI internally is using the correct method to do resource -> scopes conversion:

https://github.com/Azure/azure-cli/blob/f92cea11e4e97af64c41ab7d35562639fc9d71b9/src/azure-cli-core/azure/cli/core/util.py#L1190-L1203

I will do some testing and submit a PR to fix the doc.