Azure CLI 2.51.0 (August 01, 2023) introduces Python UserWarning of cryptography for extensions

[DanteMustCode]

Describe the bug

When Azure CLI 2.51.0 (August 01, 2023) is installed, arcappliance extension produces a Python UserWarning:

You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.

This leads to PowerShell RemoteException which fails Azure Pipelines.

We have tried to uninstall 2.51.0 and install 2.50.0, and the error disappears.

Related command

# az extension add --name arcappliance
az arcappliance validate hci --config-file $configFilePath --only-show-errors
# A non-existent path produces the same error above as well, so just give $configFilePath = "C:\example" if reproduction is desired

Errors

D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\cryptography/hazmat/backends/openssl/backend.py:27: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.

Issue script & Debug output

PS> az arcappliance validate hci --config-file $configFilePath --debug
cli.knack.cli: Command arguments: ['arcappliance', 'validate', 'hci', '--config-file', 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x023CA4F0>, <function OutputProducer.on_global_arguments at 0x024CC730>, <function CLIQuery.on_global_arguments at 0x025E8388>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Command index version or cloud profile is invalid or doesn't match the current command.
cli.azure.cli.core: Command index has been invalidated.
cli.azure.cli.core: No module found from index for '['arcappliance', 'validate', 'hci', '--config-file', 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml', '--debug']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'consumption', 'container', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'servicebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: acr                       0.139        34       144
cli.azure.cli.core: acs                       0.063         7        54
cli.azure.cli.core: advisor                   0.005         3         6
cli.azure.cli.core: ams                       0.026        22       100
cli.azure.cli.core: apim                      0.019        14        68
cli.azure.cli.core: appconfig                 0.009         9        47
cli.azure.cli.core: appservice                0.151        73       260
cli.azure.cli.core: aro                       0.028         1         9
cli.azure.cli.core: backup                    0.012        16        58
cli.azure.cli.core: batch                     0.069        34       102
cli.azure.cli.core: batchai                   0.008        10        30
cli.azure.cli.core: billing                   0.021        19        52
cli.azure.cli.core: botservice                0.009        12        42
cli.azure.cli.core: cdn                       0.014        39       133
cli.azure.cli.core: cloud                     0.005         1         7
cli.azure.cli.core: cognitiveservices         0.007        10        33
cli.azure.cli.core: config                    0.005         2         7
cli.azure.cli.core: configure                 0.004         2         5
cli.azure.cli.core: consumption               0.012         8         9
cli.azure.cli.core: container                 0.031         1        11
cli.azure.cli.core: cosmosdb                  0.041        58       192
cli.azure.cli.core: databoxedge               0.017         5        27
cli.azure.cli.core: dla                       0.010        23        62
cli.azure.cli.core: dls                       0.009         7        41
cli.azure.cli.core: dms                       0.011         3        22
cli.azure.cli.core: eventgrid                 0.014        25        96
cli.azure.cli.core: eventhubs                 0.057        13        19
cli.azure.cli.core: extension                 0.003         1         7
cli.azure.cli.core: feedback                  0.003         1         2
cli.azure.cli.core: find                      0.004         1         1
cli.azure.cli.core: hdinsight                 0.023         8        39
cli.azure.cli.core: identity                  0.007         2        11
cli.azure.cli.core: interactive               0.002         1         1
cli.azure.cli.core: iot                       0.415        19        82
cli.azure.cli.core: keyvault                  0.019        22       133
cli.azure.cli.core: kusto                     0.007         3        14
cli.azure.cli.core: lab                       0.010        11        34
cli.azure.cli.core: managedservices           0.005         3         8
cli.azure.cli.core: maps                      0.005         5        13
cli.azure.cli.core: marketplaceordering       0.012         1         2
cli.azure.cli.core: monitor                   0.102        26        80
cli.azure.cli.core: mysql                     0.405        13        47
cli.azure.cli.core: netappfiles               0.016        17        94
cli.azure.cli.core: network                   0.697       103       337
cli.azure.cli.core: policyinsights            0.038         9        17
cli.azure.cli.core: privatedns                0.042        14        63
cli.azure.cli.core: profile                   0.005         2         9
cli.azure.cli.core: rdbms                     0.059        44       185
cli.azure.cli.core: redis                     0.007         5        27
cli.azure.cli.core: relay                     0.008        10        37
cli.azure.cli.core: resource                  0.027        51       224
cli.azure.cli.core: role                      0.006        17        61
cli.azure.cli.core: search                    0.007         7        22
cli.azure.cli.core: security                  0.013        48       104
cli.azure.cli.core: servicebus                0.027        12        15
cli.azure.cli.core: serviceconnector          0.199        12       182
cli.azure.cli.core: servicefabric             0.044        27        76
cli.azure.cli.core: signalr                   0.008         8        30
cli.azure.cli.core: sql                       0.037        56       215
cli.azure.cli.core: sqlvm                     0.044         4        20
cli.azure.cli.core: storage                   0.090        58       272
cli.azure.cli.core: synapse                   0.030        54       246
cli.azure.cli.core: util                      0.004         3         7
cli.azure.cli.core: vm                        0.105        57       271
cli.azure.cli.core: Total (64)                3.330      1186      4624
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: arcappliance              0.018        11        39  C:\Users\ExampleUser\.azure\cliextensions\arcappliance
cli.azure.cli.core: customlocation            0.049         1         7  C:\Users\ExampleUser\.azure\cliextensions\customlocation
cli.azure.cli.core: hybridaks                 0.050         3        16  C:\Users\ExampleUser\.azure\cliextensions\hybridaks
cli.azure.cli.core: k8s-extension             0.014         2         9  C:\Users\ExampleUser\.azure\cliextensions\k8s-extension
cli.azure.cli.core: Total (4)                 0.131        17        71
cli.azure.cli.core: Loaded 1191 groups, 4695 commands.
cli.azure.cli.core: Updated command index in 0.006 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0478D6A0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\ExampleUser\.azure\commands\2023-08-08.02-40-32.arcappliance_validate_hci.15132.log'.
az_command_data_logger: command args: arcappliance validate hci --config-file {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x049B0148>]
D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\cryptography/hazmat/backends/openssl/backend.py:27: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x049B06A0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x049B05C8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x057642F8>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x024CC778>, <function CLIQuery.handle_query_parameter at 0x025E83D0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x049B0580>, <function handler at 0x058EF6A0>]
az_command_data_logger: extension name: arcappliance
az_command_data_logger: extension version: 0.2.32
Command group 'arcappliance validate' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=Appliances
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\ExampleUser\\.azure\\msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: C:\Users\ExampleUser\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
msrest.universal_http.requests: Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
cli.azure.cli.core.commands.client_factory: Adding custom headers to the client:
cli.azure.cli.core.commands.client_factory:     'x-ms-client-request-id': 'ef8aec93-3594-11ee-a4e8-000000000041'
cli.azure.cli.core.commands.client_factory:     'CommandName': 'arcappliance validate hci'
cli.azure.cli.core.commands.client_factory:     'ParameterSetName': '--config-file --debug'
cli.azext_arcappliance.telemetry_helpers: Subscription fetched from context: 12345678-1234-1234-1234-b8877c7a2a17
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 251d8567-d42e-4b65-84df-57cab989ff8b
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/12345678-1234-1234-1234-b8877c7a2a17/providers/Microsoft.ResourceConnector?api-version=2022-09-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'ef8aec93-3594-11ee-a4e8-000000000041'
cli.azure.cli.core.sdk.policies:     'CommandName': 'arcappliance validate hci'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--config-file --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.51.0 (MSI) azsdk-python-azure-mgmt-resource/23.1.0b2 Python/3.10.10 (Windows-10-10.0.25398-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/12345678-1234-1234-1234-b8877c7a2a17/providers/Microsoft.ResourceConnector?api-version=2022-09-01 HTTP/1.1" 200 978
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Content-Encoding': 'gzip'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '11998'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '9be8b080-98c1-4f79-b3e0-5a0a3b53d694'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '9be8b080-98c1-4f79-b3e0-5a0a3b53d694'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTCENTRALUS:20230808T024033Z:9be8b080-98c1-4f79-b3e0-5a0a3b53d694'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 08 Aug 2023 02:40:32 GMT'
cli.azure.cli.core.sdk.policies:     'Content-Length': '978'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/12345678-1234-1234-1234-b8877c7a2a17/providers/Microsoft.ResourceConnector","namespace":"Microsoft.ResourceConnector","authorizations":[{"applicationId":"585fc3c3-9a59-4720-8319-53cce041a605","roleDefinitionId":"008e7b93-7712-4d05-83ce-a9fcc80300e9"},{"applicationId":"d22ea4d1-2678-4a7b-aa5e-f340c2a7d993","roleDefinitionId":"7c812eee-67c9-4a05-a1b1-c0ac88fd1067"}],"resourceTypes":[{"resourceType":"locations","locations":[],"apiVersions":["2022-10-27","2022-04-15-preview","2021-10-31-preview","2020-09-15-privatepreview"],"endpointUris":["https://ap-eastus2euap-prod.trafficmanager.net"],"capabilities":"None"},{"resourceType":"appliances","locations":["East US","West Europe","UK South","Australia East","Southeast Asia","Canada Central","East US 2","West US 2","West US 3","South Central US","North Europe","Sweden Central","Central US","East US 2 EUAP"],"apiVersions":["2021-10-31-preview"],"defaultApiVersion":"2021-10-31-preview","endpointUris":["https://ap-eastus-prod.trafficmanager.net","https://ap-westeurope-prod.trafficmanager.net","https://ap-uksouth-prod.trafficmanager.net","https://ap-australiaeast-prod.trafficmanager.net","https://ap-southeastasia-prod.trafficmanager.net","https://ap-canadacentral-prod.trafficmanager.net","https://ap-eastus2-prod.trafficmanager.net","https://ap-westus2-prod.trafficmanager.net","https://ap-westus3-prod.trafficmanager.net","https://ap-scus-prod.trafficmanager.net","https://ap-northeurope-prod.trafficmanager.net","https://ap-swedencentral-prod.trafficmanager.net","https://ap-centralus-prod.trafficmanager.net","https://ap-eastus2euap-prod.trafficmanager.net"],"capabilities":"SystemAssignedResourceIdentity, SupportsTags, SupportsLocation"},{"resourceType":"locations/operationsstatus","locations":["East US","West Europe","UK South","Australia East","Southeast Asia","Canada Central","East US 2","West US 2","West US 3","South Central US","North Europe","Sweden Central","Central US","East US 2 EUAP"],"apiVersions":["2021-10-31-preview","2020-07-15-privatepreview"],"endpointUris":["https://ap-eastus-prod.trafficmanager.net","https://ap-westeurope-prod.trafficmanager.net","https://ap-uksouth-prod.trafficmanager.net","https://ap-australiaeast-prod.trafficmanager.net","https://ap-southeastasia-prod.trafficmanager.net","https://ap-canadacentral-prod.trafficmanager.net","https://ap-eastus2-prod.trafficmanager.net","https://ap-westus2-prod.trafficmanager.net","https://ap-westus3-prod.trafficmanager.net","https://ap-scus-prod.trafficmanager.net","https://ap-northeurope-prod.trafficmanager.net","https://ap-swedencentral-prod.trafficmanager.net","https://ap-centralus-prod.trafficmanager.net","https://ap-eastus2euap-prod.trafficmanager.net"],"capabilities":"None"},{"resourceType":"locations/operationresults","locations":["East US","West Europe","UK South","Australia East","Southeast Asia","Canada Central","East US 2","West US 2","West US 3","South Central US","North Europe","Sweden Central","Central US","East US 2 EUAP"],"apiVersions":["2021-10-31-preview","2020-07-15-privatepreview"],"endpointUris":["https://ap-eastus-prod.trafficmanager.net","https://ap-westeurope-prod.trafficmanager.net","https://ap-uksouth-prod.trafficmanager.net","https://ap-australiaeast-prod.trafficmanager.net","https://ap-southeastasia-prod.trafficmanager.net","https://ap-canadacentral-prod.trafficmanager.net","https://ap-eastus2-prod.trafficmanager.net","https://ap-westus2-prod.trafficmanager.net","https://ap-westus3-prod.trafficmanager.net","https://ap-scus-prod.trafficmanager.net","https://ap-northeurope-prod.trafficmanager.net","https://ap-swedencentral-prod.trafficmanager.net","https://ap-centralus-prod.trafficmanager.net","https://ap-eastus2euap-prod.trafficmanager.net"],"capabilities":"None"},{"resourceType":"operations","locations":[],"apiVersions":["2022-04-15-preview","2021-10-31-preview","2021-02-01","2020-07-15-privatepreview"],"endpointUris":["https://ap-eastus2euap-prod.trafficmanager.net"],"capabilities":"None"}],"registrationState":"Registered","registrationPolicy":"RegistrationRequired"}
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/12345678-1234-1234-1234-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azext_arcappliance.pkg.errors.error_telemetry: Set telemetry exceptions - exception: , fault_Type: arcappliance-validate-error, summary: Arc Appliance Validate Error: Error loading configuration file: [Errno 2] No such file or directory: 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml'
cli.azext_arcappliance.telemetry_helpers: Custom telemetry: {'context.default.azurecli.appliancedeploymentid': '', 'context.default.azurecli.provider': 'hci', 'context.default.azurecli.portaltraceid': '00000000-0000-0000-0000-000000000000', 'context.default.azurecli.appliancetraceid': '081ffe0a-c858-4aea-aba8-e01eefe8751d', 'context.default.azurecli.appliancecommand': 'ArcApplianceValidateFailure', 'context.default.azurecli.currentdatetime': '2023-08-08T02:40:33Z', 'context.default.azurecli.userazuresubscriptionid': '12345678-1234-1234-1234-b8877c7a2a17', 'context.default.azurecli.appliancefailuremessage': 'Error loading configuration file: [Errno 2] No such file or directory: _C:\\\\ClusterStorage\\\\UserStorage_1\\\\Arc-HCI\\\\WorkingDir\\\\hci-appliance.yaml_ ', 'context.default.azurecli.appliancefailuretype': 'CLIError'}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "C:\Users\ExampleUser\.azure\cliextensions\arcappliance\azext_arcappliance\helpers.py", line 138, in parse_and_validate_config
    with open(config_file, 'r', encoding="utf8") as config:
FileNotFoundError: [Errno 2] No such file or directory: 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "C:\Users\ExampleUser\.azure\cliextensions\arcappliance\azext_arcappliance\custom.py", line 85, in validate_appliance
    raise e
  File "C:\Users\ExampleUser\.azure\cliextensions\arcappliance\azext_arcappliance\custom.py", line 60, in validate_appliance
    _, _, infraData = helpers.parse_and_validate_config(cmd, infraData, config_file, resource_group, name, location)
  File "C:\Users\ExampleUser\.azure\cliextensions\arcappliance\azext_arcappliance\helpers.py", line 144, in parse_and_validate_config
    raise CLIError(f"Error loading configuration file: {e} ")
knack.util.CLIError: Error loading configuration file: [Errno 2] No such file or directory: 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml'

cli.azure.cli.core.azclierror: Error loading configuration file: [Errno 2] No such file or directory: 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml'
az_command_data_logger: Error loading configuration file: [Errno 2] No such file or directory: 'C:\\ClusterStorage\\UserStorage_1\\Arc-HCI\\WorkingDir\\hci-appliance.yaml'
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0478D7C0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 6.282 seconds (init: 1.077, invoke: 5.205)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 12261 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\ExampleUser\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

No error as 2.50.0.

Environment Summary

azure-cli                         2.51.0

core                              2.51.0
telemetry                          1.1.0

Extensions:
arcappliance                      0.2.32
customlocation                     0.1.3
hybridaks                          0.2.1
k8s-extension                      1.4.2

Dependencies:
msal                            1.24.0b1
azure-mgmt-resource             23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\...\.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

https://azcliprod.blob.core.windows.net/msi/azure-cli-2.51.0.msi https://azcliprod.blob.core.windows.net/msi/azure-cli-2.50.0.msi

[yonzhan]

Thank you for opening this issue, we will look into it.

[ghost]

Thank you for your feedback. This has been routed to the support team for assistance.

[bebound]

This warn info is expected as we bump cryptography to latest version in 2.51. You can try to install the 64-bit package and migrate to it. see https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli#migrate-to-64-bit-azure-cli. We will work with ADO team to migrate to 64-bit Azure CLI. Alternatively, set failOnStderr to false to keep the pipeline running. The correct way to detect if a CLI command fails is to check the exit code

[DanteMustCode]

@bebound Thank you very much. I will close this issue as completed.

[HenrikSommer-Energinet]

If that is expected then please update your documentations also. There are no info about it here: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli You can't expected customer to find a pr branch.

[HenrikSommer-Energinet]

@DanteMustCode can you reopen it until your documentation is updated?

[dylanhouston7]

@DanteMustCode can you reopen it until your documentation is updated?

I agree. I work at Fortune 200 who is a client of Microsoft and this has impeded our ability to run any of our Azure Pipelines this morning, when they were working before. I need some documentation on how to best get around this issue.

I also don't think this should be logged as an exception since the message has the word "UserWarning" in it.

[sugangin]

I agree too. This may be a valid warning. But since it is being written as error, and most of the azure pipeline az cli tasks use "Fail on Standard Error" flag, it results in failure of the azure pipelines. This flag cannot be set to false as it would lead to the "actual/genuine script errors" to be ignored.

It will be hugely appreciated if this behavior can be fixed or provide Azure pipeline tasks the ability to chose older versions of Az cli.

[sugangin]

Also I would like to bring to your kind attention the magnitude of this issue is having on the customers. All of the scheduled Production deployments for the Customers who has chosen "Azure Cloud" and running their Azure pipelines on Microsoft Hosted agents, and using Azure CLI tasks for many deployment scripts are unable to move forward with the scheduled UAT and Production deployments.

[dylanhouston7]

Also I would like to bring to your kind attention the magnitude of this issue is having on the customers. All of the scheduled Production deployments for the Customers who has chosen "Azure Cloud" and running their Azure pipelines on Microsoft Hosted agents, and using Azure CLI tasks for many deployment scripts are unable to move forward with the scheduled UAT and Production deployments.

Absolutely agree 100% with this. This is impeding our ability to move code past the PR stage. Fwiw I've filed a Sev B Azure ticket on behalf of the company I work for, and linked to this Github issue within the ticket.

[navba-MSFT]

@sugangin @dylanhouston7 I am reopening this issue and checking this further internally.

[navba-MSFT]

@sugangin @dylanhouston7 Could you please follow the suggestion and workaround mentioned here.

[jiasli]

This flag cannot be set to false as it would lead to the "actual/genuine script errors" to be ignored.

@sugangin, Azure CLI never uses stderr stream as an error indicator. Any command can print to stderr without prior notice. Please see https://github.com/Azure/azure-cli/issues/18372 for more details regarding using failOnStderr with Azure CLI.

[dylanhouston7]

@sugangin @dylanhouston7 Could you please follow the suggestion and workaround mentioned here.

@navba-MSFT thanks for reopening the issue. Changing the "failOnStandardError" flag to false does keep our pipelines going and does unblock us. However, as @sugangin pointed out, doing this also ignores "actual/genuine" errors. This actually happened to me yesterday, after we implemented the workaround. When we were trying to deploy some keyvault reference changes with a functions app, we found that the slot failed to start. We found out that we didn't have access policies setup for the app to access the keyvault secrets.

Usually, this step az deployment group what-if -g "$ResourceGroupName"

would have caught that error before we deployed anything to Azure. But because we did the workaround, we had to go to the deployed Functions app in Azure to see that the deploy slot failed to deploy because of that-- and we were able to view the error there in the Azure portal, but it is always much better to catch errors like this well before anything is deployed to Azure.

My Sev B Azure ticket is being looked at by Microsoft as well. 2308080040010326

Implemented workaround attached. azure-workaround.txt

[nthompson4work]

Our workaround was to implement what was described here.

At first we just pinned the cli version, azure-cli==2.51, but that then led to issue #27131.

We ended up adding the following which seems to have done the trick:

steps:
 ...
# Specify python version
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.x'
    architecture: 'x64'

# Update to latest Azure CLI version
- bash: pip install azure-cli==2.51 azure-core==1.28.0 --extra-index-url https://azurecliprod.blob.core.windows.net/edge
  displayName: 'Upgrade Azure CLI'
...

The downside to this however is two fold:

1) Need to run it at the beginning of every agent provisioning so any azure CLI tasks via scripts or task: AzureCLI@2 get the update. So if you provision multiple times in a pipeline, it needs to be done for each.

2) It is SLOW. We are seeing an average of 3 to 7 minutes for this mitigation step alone to install the 64bit version. in areas where this needs to be done multiple times, the pipeline time has now gone way up.

[dylanhouston7]

Our workaround was to implement what was described here.

At first we just pinned the cli version, azure-cli==2.51, but that then led to issue #27131.

We ended up adding the following which seems to have done the trick:

steps:
 ...
# Specify python version
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.x'
    architecture: 'x64'

# Update to latest Azure CLI version
- bash: pip install azure-cli==2.51 azure-core==1.28.0 --extra-index-url https://azurecliprod.blob.core.windows.net/edge
  displayName: 'Upgrade Azure CLI'
...

The downside to this however is two fold:

1. Need to run it at the beginning of every agent provisioning so any azure CLI tasks via scripts or `task: AzureCLI@2` get the update.  So if you provision multiple times in a pipeline, it needs to be done for each.

2. It is _SLOW_.  We are seeing an average of 3 to 7 minutes for this mitigation step alone to install the 64bit version.  in areas where this needs to be done multiple times, the pipeline time has now gone way up.

Thanks for posting this. The first tier MS rep to get back to me suggested a similar workaround, which added 6-7 minutes to our pipeline run time.... which is unacceptable and also SLOW. Our PRs builds are what leverage this command so it is run all the time.

This is the workaround that he suggested. Just posting this in case someone is really stuck and needs to release code.

jobs:
- job:
  dependsOn: ${{ parameters.DependsOn }}
  displayName: "${{ parameters.ArmTemplateSubFolder }}/${{ parameters.Environment }}/${{ parameters.Region }}"
  steps:
  - checkout: none
  - download: current
    artifact: ${{ parameters.TemplateFolderPath }}
  - bash: pip install -Iv azure-cli==2.50.0 --extra-index-url https://azurecliprod.blob.core.windows.net/edge  
    displayName: 'Use Specific Azure CLI' # 8/10/23 - Using a specific version of the CLI until this issue is resolved https://github.com/Azure/azure-cli/issues/27115
  - task: AzureCLI@2 # this step is required to run bicep deploys that have a module reference to a private repository
    displayName: "Testing Files"
    inputs:
      azureSubscription: ${{ parameters.AzureSubscription }}
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        cutting this out for brevity purposes
      azurePowerShellVersion: latestVersion
      errorActionPreference: 'stop' # Optional. Options: stop, continue, silentlyContinue
      failOnStandardError: true # Optional
      pwsh: true

[cutecycle]

Our workaround was to implement what was described here.

At first we just pinned the cli version, azure-cli==2.51, but that then led to issue #27131.

We ended up adding the following which seems to have done the trick:

steps:
 ...
# Specify python version
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.x'
    architecture: 'x64'

# Update to latest Azure CLI version
- bash: pip install azure-cli==2.51 azure-core==1.28.0 --extra-index-url https://azurecliprod.blob.core.windows.net/edge
  displayName: 'Upgrade Azure CLI'
...

The downside to this however is two fold:

1. Need to run it at the beginning of every agent provisioning so any azure CLI tasks via scripts or task: AzureCLI@2 get the update. So if you provision multiple times in a pipeline, it needs to be done for each.
2. It is SLOW. We are seeing an average of 3 to 7 minutes for this mitigation step alone to install the 64bit version. in areas where this needs to be done multiple times, the pipeline time has now gone way up.

do you have to pip install the specific azure cli version? python x64 seems to already be installed on Microsoft-hosted agents, and just UsePythonVersion could be enough in that context (I'm not sure if you're on self-hosted agents).

[cutecycle]

Our workaround was to implement what was described here. At first we just pinned the cli version, azure-cli==2.51, but that then led to issue #27131. We ended up adding the following which seems to have done the trick:

steps:
 ...
# Specify python version
- task: UsePythonVersion@0
  inputs:
    versionSpec: '3.x'
    architecture: 'x64'

# Update to latest Azure CLI version
- bash: pip install azure-cli==2.51 azure-core==1.28.0 --extra-index-url https://azurecliprod.blob.core.windows.net/edge
  displayName: 'Upgrade Azure CLI'
...

The downside to this however is two fold:

1. Need to run it at the beginning of every agent provisioning so any azure CLI tasks via scripts or task: AzureCLI@2 get the update. So if you provision multiple times in a pipeline, it needs to be done for each.
2. It is SLOW. We are seeing an average of 3 to 7 minutes for this mitigation step alone to install the 64bit version. in areas where this needs to be done multiple times, the pipeline time has now gone way up.

do you have to pip install the specific azure cli version? python x64 seems to already be installed on Microsoft-hosted agents, and just UsePythonVersion could be enough in that context (I'm not sure if you're on self-hosted agents).

answering myself:

the second line is necessary: ensures the openssl dependency is 64 bit upon reinstallation

[jiasli]

Installing with pip such as pip install azure-cli==2.51 is not officially supported.

@dylanhouston7, using failOnStandardError to detect if az deployment group what-if -g "$ResourceGroupName" succeeds is an incorrect usage. See https://github.com/Azure/azure-cli/issues/18372#issuecomment-1671014024 for how to handle the exit code of a native command correctly.

[MattJeanes]

We have worked around this by setting failOnStdErr: false (or removing it which is the default) in our Azure Pipelines and updating the PowerShell scripts to check $LASTEXITCODE after each call to a native command like the Azure CLI:

az <insert command here>
if ($LASTEXITCODE -ne 0) {
    Write-Error "az exited with code $LASTEXITCODE"
}

Note that PowerShell 7.3 includes an experimental feature to do this for you: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#psnativecommanduseerroractionpreference

Bash scripts also can do this with set -e at the top of the script

[cutecycle]

@MattJeanes @jiasli But then, isn't part of the problem here that the UserWarning is changing the exitCode of this native call to 1?

[jiasli]

@MattJeanes's solution is correct. This is exactly what I provided in https://github.com/Azure/azure-cli/issues/18372#issuecomment-1671014024.

the UserWarning is changing the exitCode of this native call to 1

UserWarning is merely a message printed to stderr. It never changes the exit code. This can be verified with

> C:\Users\xxx\AppData\Local\Programs\Python\Python310-32\python.exe -c "import cryptography.hazmat.bindings.openssl.binding"
<string>:1: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.
> echo $LASTEXITCODE
0

[bowlerma]

We're also now started seeing this problem with Microsoft's hosted agents which was causing an otherwise working task to suddenly start failing.

If it's a warning, why is it being written to stderr?

Where's the notification that this breaking change was being introduced, and why have the agents been updated to this version if they're not compatible with it?

[MattJeanes]

Standard error (stderr) output is also often used for warnings and even sometimes informational messages which is why I never recommend using failOnStdErr as it will cause problems like this. The only reliable metric for task success / failure is the exit code

[dylanhouston7]

Regarding the Azure ticket I opened on behalf of the company I work for, a rep got back to me and told me to try my pipeline without the workaround of using a specific Azure CLI version. I did, and it worked today. Anyone else seeing successful results?

[not-not-kevin]

Regarding the Azure ticket I opened on behalf of the company I work for, a rep got back to me and told me to try my pipeline without the workaround of using a specific Azure CLI version. I did, and it worked today. Anyone else seeing successful results?

Confirmed. I re-ran my pipelines and they work successfully (without the "workaround'). However, moving forwards I will continue to check the last exit code vs failing on standard error.

[bebound]

Runner-image is using 64-bit CLI by default in https://github.com/actions/runner-images/pull/8096 I think this issue is solved for pipeline users.

[bowlerma]

Yep, working here too now. As per above, 64-bit Python seems to now be used on the Microsoft hosted agents, so the warning goes away.

[dylanhouston7]

Thanks for verifying all. When I removed the workaround for various other repos that I work with, they all worked this morning as well.

I did not get much detail on what the fix was, other than "...it is a full implementation for the MS hosted agents on the latest version. Your other repos should be fine as long as they run with the latest version of the Microsoft Hosted Agent."

I'm going to have them close the Azure ticket now.

[dylanhouston7]

One last note, I got these details once my ticket was closed:

•   Issue: Azure CLI with version 2.51.0 having a cryptography error on a 32-bit Python on Windows OS on 64-bit version.

•   Root Cause: The Azure CLI version 2.51.0 used on Microsoft Hosted Agents was working on the 32 bits version instead of 64 bits version

•   Actions taken for the resolution: For the resolution of the case, I opened an internal report sharing the github thread: [Azure CLI 2.51.0 (August 01, 2023) introduces Python UserWarning of cryptography for extensions · Issue #27115 · Azure/azure-cli · GitHub](https://github.com/Azure/azure-cli/issues/27115) and the investigation, workarounds taken for this request.

o   Final resolution: A fix implementation based on the error was made for the latest version of Microsoft Hosted Agents by switching the version of Azure CLI to the 64 bits and mitigate the current behavior mentioned before.

[martin-bmc]

The installation documentation does not show how to install the 64 bit version using winget (and I can not see such a package available). Is this in progress and if so any ETA?

[bebound]

@martin-bmc x64 version for winget is not in the roadmap yet. We can't replace the download link to 64-bit as there are some manual steps to migrate to 64bit. I think we need to keep both 32-bit and 64-bit and add some instructions after installation.

[HenrikSommer-Energinet]

@martin-bmc x64 version for winget is not in the roadmap yet. We can't replace the download link to 64-bit as there are some manual steps to migrate to 64bit. I think we need to keep both 32-bit and 64-bit and add some instructions after installation.

1. Could you then make sure the version on winget is list as a 32 bit and not 64 bit.
2. Please add it on the road map so we can continue update azure cli with Winget.

[efd7887]

So you are saying that the right hand doesnt know what the left hand is doing over there at Microsoft? What is going on over there? Is this a feature? This is like selling a car with 2 wheels. Constant issues with VS Code. Is having a stable command line interface other than DOS on Microsoft's roadmap because I have to tell you, if I got paid to research and fix all of the issues with VS Code and modules in PowerShell and CLI I may not have to work. Effectively we are doing our jobs and your jobs.

This is my opinion only and does not represent Microsoft in any way

Open Source Community Tools = We arent sure we know what we are doing so we will rely on the intelligent customers to fix stuff for us.

If I architected and built solutions that only half worked and then someone had to come behind my, find the issue, diagnose and fix I would be fired. Just saying......

[tssv2896]

Runner-image is using 64-bit CLI by default in actions/runner-images#8096 I think this issue is solved for pipeline users.

Worked perfectly !