search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.92k stars 2.89k forks source link

`az ad` subcommands broken: User 'xxx' does not exist in MSAL token cache #29331

Closed cloudcosmonaut closed 1 week ago

cloudcosmonaut commented 1 week ago

Describe the bug

It looks like there's something broken between az ad and msal in the current version.

Although I can find my user info in ~/.azure/msal_token_cache.json, and according to the az login I'm logged in (az account show lists my subscriptions). The az ad part doesn't seem to work anymore.

Related command

az ad signed-in-user show

Errors

User '<>' does not exist in MSAL token cache. Run az login.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ad', 'signed-in-user', 'show', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f465f7fe2a0>, <function OutputProducer.on_global_arguments at 0x7f465f554400>, <function CLIQuery.on_global_arguments at 0x7f465f581ee0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: role 0.002 17 61 cli.azure.cli.core: Total (1) 0.002 17 61 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 17 groups, 61 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : ad signed-in-user show cli.azure.cli.core: Command table: ad signed-in-user show cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f465e4cf420>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/hindrik/.azure/commands/2024-07-08.14-48-34.ad_signed-in-user_show.407781.log'. az_command_data_logger: command args: ad signed-in-user show --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f465e51f600>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f465e51f6a0>, <function register_cache_arguments..add_cache_arguments at 0x7f465e51f7e0>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f465f5544a0>, <function CLIQuery.handle_query_parameter at 0x7f465f581f80>, <function register_ids_argument..parse_ids_arguments at 0x7f465e51f740>] cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ cli.azure.cli.core.auth.persistence: build_persistence: location='/home/hindrik/.azure/msal_token_cache.json', encrypt=False cli.azure.cli.core.auth.binary_cache: load: /home/hindrik/.azure/msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183 msal.authority: openid_config("https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? None msal.application: get_accounts(username='Hindrik.Bruinsma@xebia.com') finds no account. If tokens were acquired without 'profile' scope, they would contain no username for filtering. Consider calling get_accounts(username=None) instead. cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 723, in _run_job return cmd_copy.exception_handler(ex) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler raise ex File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 701, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(*args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/commands/command_operation.py", line 363, in handler show_exception_handler(ex) File "/usr/lib/python3/dist-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler raise ex File "/usr/lib/python3/dist-packages/azure/cli/core/commands/command_operation.py", line 361, in handler return op(command_args) ^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/custom.py", line 1821, in show_signed_in_user result = client.signed_in_user_get() ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 224, in signed_in_user_get result = self._send("GET", "/me") ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/util.py", line 983, in send_raw_request tokeninfo, , _ = profile.get_raw_token(resource) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/_profile.py", line 405, in get_raw_token credential = self._create_credential(account, tenant) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/_profile.py", line 615, in _create_credential return identity.get_user_credential(username_or_sp_id) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/auth/identity.py", line 232, in get_user_credential return UserCredential(self.client_id, username, **self._msal_public_app_kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/azure/cli/core/auth/msal_authentication.py", line 58, in init raise CLIError("User '{}' does not exist in MSAL token cache. Run az login.".format(username)) knack.util.CLIError: User 'Hindrik.Bruinsma@xebia.com' does not exist in MSAL token cache. Run az login.

cli.azure.cli.core.azclierror: User 'Hindrik.Bruinsma@xebia.com' does not exist in MSAL token cache. Run az login. az_command_data_logger: User 'Hindrik.Bruinsma@xebia.com' does not exist in MSAL token cache. Run az login. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f465e4cf6a0>] az_command_data_logger: exit code: 1 cli.azure.cli.main: Command ran in 0.473 seconds (init: 0.101, invoke: 0.372) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3885 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "/usr/bin/python3 /usr/lib/python3/dist-packages/azure/cli/telemetry/init.py /home/hindrik/.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

Show the logged in user info :D

Environment Summary

azure-cli 2.61.0 core 2.61.0 telemetry 1.1.0 Extensions: azure-devops 1.0.1 Dependencies: msal 1.29.0 azure-mgmt-resource 23.1.1

Python location '/usr/bin/python3' Extensions directory '/home/hindrik/.azure/cliextensions' Extensions system directory '/usr/lib/python3/dist-packages/azure-cli-extensions'

Python (Linux) 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

azure-client-tools-bot-prd[bot] commented 1 week ago

Hi @cloudcosmonaut,

This is not the official Azure CLI published by Microsoft.

How to tell if the installed Azure CLI is unofficial:

Please follow https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux to install Microsoft official Azure CLI.

If you feel that further discussion is needed, please add a comment with the text /clibot unresolve to reopen the issue.

yonzhan commented 1 week ago

Thank you for opening this issue, we will look into it.

cloudcosmonaut commented 1 week ago

/clibot unresolve

cloudcosmonaut commented 1 week ago

I installed the azure-cli just as described

cloudcosmonaut commented 1 week ago

When downgrading to 2.60.0 it seems to work, so some degradation happened in between

jiasli commented 1 week ago

/usr/lib/python3/dist-packages is not the official Azure CLI's installation location /opt/az/lib/python3.11/site-packages. Please follow https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt to install the official package and try again.

cloudcosmonaut commented 1 week ago

Hmmn, I did install it using curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash. So I don't understand why it got installed in the wrong location. After completely removing az cli and the source it got installed with, and reinstalling it again it seemed to be fixed. Could it be a difference in Linux distro? I use Debian, could there have been a diff in dependencies or something?

Thanks anyway!

Cheers, Hindrik

jiasli commented 1 week ago

Which Debian version you are using? You may check with cat /etc/os-release and it shows something like

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

I guess you simply ran apt install azure-cli which installed the unofficial Azure CLI, such as https://packages.debian.org/unstable/azure-cli

cloudcosmonaut commented 1 week ago

I do see the azure-cli package is available in multiple sources: image

This is the output of os-release: image