search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.95k stars 2.93k forks source link

Unable to cleanup ACR via cli using Workload Identity to authenticate #29118

Open carlospcastro opened 2 months ago

carlospcastro commented 2 months ago

Describe the bug

It's not possible to reach the ACR from an AKS pod using Workload Identity to login. A case was opened with Microsoft and they identified the issue and asked me to report as a bug here.

"This is a CLI bug, as the request is not landing on ARM or ACR. The way the subscription cache is handled in the CLI, this is only refreshed when the CLI performs a cloud login (az login). The workload identity 'login' might not be refreshing this cache and because the CLI is not sending a request to obtain a refreshed list of subscriptions the request fails locally without attempting to do the purge. They would need to create an issue to the azure/cli github for this to be addressed Issues · Azure/azure-cli (github.com). Please add the details that we have discussed the behavior is different when using user credentials vs using workload identity the subscription/resource query is not reaching ARM or ACR"

_"this code calls this code, the handling of how the subscriptions is cached locally is the issue, as the client is not trying to fetch the subscription from ARM (only tries locally), after that the call fails"_

Related command

The command used to authenticate to Azure az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --allow-no-subscriptions

The command used to cleanup some old images in the ACR

REPOS=$(az acr repository list -n ${REGISTRY} -o table | tail -n +3 | grep -v helm)
for REPO in  $REPOS; do COMMAND="acr purge --ago 30d --filter '${REPO}:^[A-Fa-f0-9]{8,}$' --keep 5 --untagged"; az acr run --cmd "${COMMAND}" --registry ${REGISTRY} --timeout 3600 /dev/null; done

Errors

The resource with name '' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription ''.

Issue script & Debug output

cli.azure.cli.core.sdk.policies: {"value":[]}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/run.py", line 45, in acr_run
    _, resource_group_name = validate_managed_registry(
  File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 143, in validate_managed_registry
    registry, resource_group_name = get_registry_by_name(
  File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 109, in get_registry_by_name
    resource_group_name = get_resource_group_name_by_registry_name(
  File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 88, in get_resource_group_name_by_registry_name
    arm_resource = _arm_get_resource_by_name(
  File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 55, in _arm_get_resource_by_name
    raise ResourceNotFound(
azure.cli.command_modules.acr._utils.ResourceNotFound: The resource with name 'acr' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription 'subscription'.

Expected behavior

Authentication and perform acr cleanup commands without problem

Environment Summary

az --version azure-cli 2.45.0 *

core 2.45.0 telemetry 1.0.8

Dependencies: msal 1.20.0 azure-mgmt-resource 21.1.0b1

Additional context

No response

azure-client-tools-bot-prd[bot] commented 2 months ago

Hi @carlospcastro,

2.45.0 is not the latest Azure CLI(2.61.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

microsoft-github-policy-service[bot] commented 2 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @luisdlp, @northtyphoon.

yonzhan commented 2 months ago

ACR

carlospcastro commented 2 months ago

Hi @yonzhan , is there any reason for removing the bug tag?