Azure CLI will currently *always* cause AzureCliCredential to fail on Python/MacOS/Homebrew using secret-client.

furnivall commented 1 year ago

Describe the bug

Preface: This may well be intended behaviour, so I apologise if so. However, I am currently unable to upgrade Azure CLI locally due to https://github.com/Homebrew/homebrew-core/pull/138158 & https://github.com/Azure/azure-cli/issues/27047 so I did a bit of digging. I'll also raise a sister issue on azure-sdk-for-python so they're aware of it too.

Description: DefaultAzureCredential runs through a bunch of options, including AzureCliCredential.

When it reaches this line within AzureCliCredential, it will always fail the timeout with an outdated software version.

This is because the cli prompt returned by az account get-access-token --output json --resource <whatever> embedded within that file will always return the following, which requires a user response to complete.

New Azure CLI version available. Running 'az upgrade' to update automatically.
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.50.0. Latest version available is 2.51.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli
Do you want to continue? (Y/n):

Steps to reproduce: I have been able to confirm this on a minimal reproduction here. It will require the replacement of some env vars:

Replace key_vault_url and secret_name within x/function_app.py with some legitimate values.
Use func start to start
Optionally, attach a debugger of your choice to the process and watch the call to return subprocess.check_output(args, **kwargs) venv/lib/python3.10/site-packages/azure/identity/_credentials/azure_cli.py - github link to specific line
Run curl http://localhost:7071/api/hello to trigger the http function
Read your logs for the following string: AzureCliCredential: Failed to invoke the Azure CLI

Related command

All azure commands that trigger an update notification, but specifically az account get-access-token --output json --resource <whatever> in this instance

Errors

Executing 'Functions.AzureTrigger' (Reason='This function was programmatically called via the host APIs.', Id=df95b1b4-cdce-4775-abe4-71e6f6cab282) DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials:

EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
*AzureCliCredential: Failed to invoke the Azure CLI*
AzurePowerShellCredential: Az.Account module >= 2.2.0 is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.
Executed 'Functions.AzureTrigger' (Failed, Id=df95b1b4-cdce-4775-abe4-71e6f6cab282, Duration=57068ms)
System.Private.CoreLib: Exception while executing function: Functions.AzureTrigger. System.Private.CoreLib: Result: Failure
Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
AzureCliCredential: Failed to invoke the Azure CLI
AzurePowerShellCredential: Az.Account module >= 2.2.0 is not installed
AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

Issue script & Debug output

N/A, description covers it.

Expected behavior

Auth token to be generated as standard.

Environment Summary

azure-cli                         2.50.0 *

core                              2.50.0 *
telemetry                          1.0.8 *

Extensions:
ssh                                2.0.0

Dependencies:
msal                              1.22.0
azure-mgmt-resource             23.1.0b2

Python location '/usr/local/Cellar/azure-cli/2.50.0_1/libexec/bin/python'
Extensions directory '/Users/daniel.furnivall/.azure/cliextensions'

Python (Darwin) 3.10.12 (main, Jun 20 2023, 17:00:24) [Clang 14.0.3 (clang-1403.0.22.14.1)]

Legal docs and information: aka.ms/AzureCliLegal

You have 3 update(s) available. Consider updating your CLI installation with 'az upgrade'
New Azure CLI version available. Running 'az upgrade' to update automatically.
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.50.0. Latest version available is 2.51.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli

Additional context

I am fairly certain this won't just be hitting the python sdk, and definitely not just function apps.

azure-client-tools-bot-prd[bot] commented 1 year ago

Hi @furnivall,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

furnivall commented 1 year ago

Thank you for opening this issue, we will look into it.

No problem, if you need anything specific about my setup I am happy to provide. Just spent the day bashing my head against the computer to work out why I wasn't able to connect keyvault to my local environment!

furnivall commented 1 year ago

Here's a screenshot of the relevant debugging output

furnivall commented 1 year ago

Hi @furnivall,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

Also, your bot is broken - it's physically impossible for MacOS users with Homebrew to upgrade to this version at current. No idea where to raise a bug ticket but might be worth doing something about.

edit: scratch that, have raised https://github.com/Azure/azure-cli/pull/27112

jiasli commented 1 year ago

I'll also raise a sister issue on azure-sdk-for-python so they're aware of it too.

I believe you are talking about https://github.com/Azure/azure-sdk-for-python/issues/31493

You are seeing the New Azure CLI version available. Running 'az upgrade' to update automatically. warning because you have enabled Automatic Update. You may turn it off following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli

az config set auto-upgrade.enable=no

See https://github.com/Azure/azure-cli/issues/17886#issuecomment-862044518

jiasli commented 1 year ago

Azure CLI's Automatic Update is indeed guarded by a verify_is_a_tty check:

https://github.com/Azure/azure-cli/blob/2c3f5e099ccf7074dd21ec7b20620f9b5b933495/src/azure-cli/azure/cli/__main__.py#L97-L104

When Python SDK subprocesses az, it connects the stdin of itself to the subprocess az:

https://github.com/Azure/azure-sdk-for-python/blob/c4c18a7b427633c0519016d762dc141ae743e41b/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py#L188-L195

        kwargs: Dict[str, Any] = {
            "stderr": subprocess.PIPE,
            "cwd": working_directory,
            "universal_newlines": True,
            "timeout": timeout,
            "env": dict(os.environ, AZURE_CORE_NO_COLOR="true"),
        }
        return subprocess.check_output(args, **kwargs)

https://docs.python.org/3/library/subprocess.html#frequently-used-arguments

stdin, stdout and stderr: With the default settings of None, no redirection will occur; the child’s file handles will be inherited from the parent.

See https://github.com/Azure/azure-cli/issues/17886#issuecomment-1669382495

Azure / azure-cli