Open Vaisman opened 1 year ago
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @v-anvashist, @V-hmusukula.
Author: | Vaisman |
---|---|
Assignees: | - |
Labels: | `Service Attention`, `customer-reported`, `DevOps`, `Auto-Assign` |
Milestone: | - |
route to CXP team
@yonhan, maybe you have any update about the issue from CXP team?
@Vaisman Hi, Could you please verify whether the supplied token is valid or not? we are able to login using command echo "######" | az devops login --organization https://dev.azure.com/contoso/
@v-soujanya I used valid Service Principal token. it works in another two cases described in the doc: https://learn.microsoft.com/en-us/azure/devops/cli/log-in-via-pat?view=azure-devops&tabs=windows
@Vaisman I am / was facing a similar issue. I couldn't sign in to devOps using folowing command in Azure pipeline.
echo $PAT | az devops login --organization https://dev.azure.com/myorg
When I tried it from local console it worked however. In the end it turns out, I caused the problem myself. I am storing the personal access token in a variable group as a secret variable called pat
hence the attempt to expand it in bash with $PAT
. Yesterday I found out that you can't expand secret variables from variable groups.
Secret variables defined in a variable group cannot be accessed directly via scripts. Instead, they must be passed as arguments to the task.
source: https://adamtheautomator.com/azure-devops-variables/
When I tried the approach mentioned above it started to work for me. I am not sure if the core of your problem could be the same, but if so, I hope this helps.
I am having this same issue. When I run the commands locally this works.
echo $env:AZURE_DEVOPS_EXT_PAT | az devops login --organization https://dev.azure.com/org
or
echo "full token typed out" | az devops login --organization https://dev.azure.com/org
when I run from a powershell command in Azure DevOps I get this
ERROR: Failed to authenticate using the supplied token.
I'm having the same problem on a Windows Self-hosted Agent. However I'm not using PAT, I'm using access tokens obtained from Get-AzAccessToken as follows:
The agent machine logs in using Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $SpTenantId
where the service principal has been granted appropriate permissions in Azure DevOps.
Next the script runs Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798"
where the ResourceUrl value denotes all scopes for Azure DevOps API (this is not a sensitive value, it is global for anyone wanting to get an ADO access token with this method). This retrieves an access token for the service principal, similar to a PAT.
Following that the access token is used to log in, like so: $token | az devops login --organization $OrgUrl
. I also tried setting the environment variable like this: $env:AZURE_DEVOPS_EXT_PAT = $token
All of these commands succeed when ran locally from terminal on the agent.
Now for the weird part. Even though the pipeline output returns "ERROR: Failed to authenticate using the supplied token.", the subsequent azure devops cli commands run with no issues (I manually ran az devops logout
before running, so this isn't due to a previous login still being active). I'm not blocked by this behavior but I'm leaving this here as the error seems to be related.
I was getting the same issue in my yaml pipeline, but after adding env: SYSTEM_ACCESSTOKEN: $(System.AccessToken)
to my task & the below authentication lines, I started getting the same as @ncswalton, an authentication error, but the commands working properly.
$env:AZURE_DEVOPS_EXT_PAT = $env:SYSTEM_ACCESSTOKEN
echo "$env:AZURE_DEVOPS_EXT_PAT" | az devops login --organization https://dev.azure.com/orgname/
Related command echo "my service principal token" | az devops login --organization https://dev.azure.com/my_org/
Describe the bug Failed to authenticate using the supplied token on the command: PS C:\Users\my_org> echo "my service principal token" | az devops login --organization https://dev.azure.com/my_org --debug but successfully login with set my service principal token in $env:AZURE_DEVOPS_EXT_PAT
stacktrace: cli.knack.cli: Command arguments: ['devops', 'login', '--organization', 'https://dev.azure.com/my_org', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01ABB3D0>, <function OutputProducer.on_global_arguments at 0x036A8B68>, <function CLIQuery.on_global_arguments at 0x036C57C0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'devops': ['azext_devops'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: azure-devops 0.073 60 191 C:\Users\my_org.azure\cliextensions\azure-devops cli.azure.cli.core: Total (1) 0.073 60 191 cli.azure.cli.core: Loaded 60 groups, 191 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : devops login cli.azure.cli.core: Command table: devops login cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x04365B68>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\my_org.azure\commands\2023-01-23.15-34-29.devops_login.84228.log'. az_command_data_logger: command args: devops login --organization {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x047F5028>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x047F5100>, <function register_cache_arguments..add_cache_arguments at 0x04800658>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x036A8BB0>, <function CLIQuery.handle_query_parameter at 0x036C5808>, <function register_ids_argument..parse_ids_arguments at 0x04800610>, <function DevCommandsLoader.post_parse_args at 0x0485C6E8>]
az_command_data_logger: extension name: azure-devops
az_command_data_logger: extension version: 0.25.0
cli.knack.prompting: No tty available.
cli.azext_devops.dev.team.credentials: Getting PAT token in non-interactive mode.
cli.azext_devops.dev.team.credentials: Creating connection with personal access token.
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk._file_cache: Cache file does not exist: C:\Users\my_org.azure-devops\python-sdk\cache\options.json
azext_devops.devops_sdk.client: File cache miss for options on: https://dev.azure.com/my_org
azext_devops.devops_sdk.client: OPTIONS https://dev.azure.com/my_org/_apis
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
urllib3.connectionpool: Starting new HTTPS connection (1): dev.azure.com:443
urllib3.connectionpool: https://dev.azure.com:443 "OPTIONS /my_org/_apis HTTP/1.1" 401 0
msrest.exceptions: The requested resource requires user authentication: https://dev.azure.com/my_org/_apis
cli.azext_devops.dev.team.credentials: The requested resource requires user authentication: https://dev.azure.com/my_org/_apis
Traceback (most recent call last):
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\dev\team\credentials.py", line 63, in _verify_token
connection_data = location_client.get_connection_data()
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\v5_0\location\location_client.py", line 26, in get_connection_data
response = self._send(http_method='GET',
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 60, in _send
request = self._create_request_message(http_method=http_method,
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 105, in _create_request_message
location = self._get_resource_location(location_id)
File "C:\Users\vsvmy_orgirski.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 135, in _get_resource_location
Client._locations_cache[self.config.base_url] = self._get_resource_locations(all_host_types=False)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 171, in _get_resource_locations
response = self._send_request(request, headers=headers)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 54, in _send_request
self._handle_error(request, response)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 253, in _handle_error
raise AzureDevOpsAuthenticationError(full_message_format.format(error_message=error_message,
azext_devops.devops_sdk.exceptions.AzureDevOpsAuthenticationError: The requested resource requires user authentication: https://dev.azure.com/my_org/_apis
cli.azext_devops.dev.common.exception_handler: handling generic error
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "C:\Users\vsvmy_orgirski.azure\cliextensions\azure-devops\azext_devops\dev\team\credentials.py", line 63, in _verify_token
connection_data = location_client.get_connection_data()
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\v5_0\location\location_client.py", line 26, in get_connection_data
response = self._send(http_method='GET',
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 60, in _send
request = self._create_request_message(http_method=http_method,
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 105, in _create_request_message
location = self._get_resource_location(location_id)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 135, in _get_resource_location
Client._locations_cache[self.config.base_url] = self._get_resource_locations(all_host_types=False)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 171, in _get_resource_locations
response = self._send_request(request, headers=headers)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 54, in _send_request
self._handle_error(request, response)
File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\devops_sdk\client.py", line 253, in _handle_error
raise AzureDevOpsAuthenticationError(full_message_format.format(error_message=error_message,
azext_devops.devops_sdk.exceptions.AzureDevOpsAuthenticationError: The requested resource requires user authentication: https://dev.azure.com/my_org/_apis
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 718, in _run_job File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\dev\common\exception_handler.py", line 31, in azure_devops_exception_handler reraise(*sys.exc_info()) File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\six.py", line 719, in reraise File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\dev\team\credentials.py", line 29, in credential_set _verify_token(organization=organization, token=token) File "C:\Users\my_org.azure\cliextensions\azure-devops\azext_devops\dev\team\credentials.py", line 66, in _verify_token raise CLIError("Failed to authenticate using the supplied token.") knack.util.CLIError: Failed to authenticate using the supplied token.
cli.azure.cli.core.azclierror: Failed to authenticate using the supplied token. az_command_data_logger: Failed to authenticate using the supplied token. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x04365C88>] az_command_data_logger: exit code: 1 cli.main: Command ran in 3.025 seconds (init: 1.362, invoke: 1.663) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3212 in cache telemetry.check: Negative: The C:\Users\my_org.azure\telemetry.txt was modified at 2023-01-23 15:34:24.820272, which in less than 600.000000 s
To Reproduce Use service principal token and login
Expected behavior Successful login
Environment summary { "azure-cli": "2.44.1", "azure-cli-core": "2.44.1", "azure-cli-telemetry": "1.0.8", "extensions": { "azure-devops": "0.25.0", "ssh": "1.1.3" } }