yonzhan
commented
1 month ago Thank you for opening this issue, we will look into it.
Open SvenAelterman opened 1 month ago
yonzhan
commented
1 month ago Thank you for opening this issue, we will look into it.
jiasli
commented
1 month ago To help us understand what is going on, could you give more information "no longer silent authentication failures"? What is the failure message? How to reproduce this failure?
SvenAelterman
commented
1 month ago To help us understand what is going on, could you give more information "no longer silent authentication failures"? What is the failure message? How to reproduce this failure?
The failure message is included under the Errors heading in the issue.
To replicate:
jiasli
commented
1 month ago Sign in again (using WAM, with at least AZ CLI v 2.61).
What is the command you used?
Have you tried running az login --scope https://graph.microsoft.com/.default as the error message instructed?
SvenAelterman
commented
1 month ago What is the command you used?
Simple az login, as before 2.61+.
Running the login command with a particular scope doesn't solve the issue, as then there's a next scope that needs to be included, and the next one. Eventually you get them all, of course, and then you can deploy TF successfully.
Are you suggesting that in addition to the other changes in 2.61 (which I thought were the root cause of the issue), the login process is different in that it now requires specifying any scope you want to use?
If so, what does az login --use-device-code do differently (as it still works)? Why does reverting to the old login method (not using WAM) still work?
Edit: I think the major difference might be found in the release note that states that silent authentication failures are no longer silent. The error message would seem to point at that. I am not sure why turning off WAM solves it, of course, as I haven't looked at the underlying mechanisms that would be different.
SvenAelterman
commented
1 month ago @jiasli Any thoughts? Thanks!
Describe the bug
The new WAM-based login (possibly combined with the now no longer silent authentication failures) seems to cause issues with Terraform.
When running a Terraform plan, the output is like the error below (just a snip of much more of this).
When reverting back to the non-WAM login broker, as documented at https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows, everything works as before.
Also, when using
az login --use-device-code, everything works like before.Related command
terraform planErrors
│ Error: building account: could not acquire access token to parse claims: running Azure CLI: exit status 1: ERROR: (pii). Status: Response_Status.Status_InteractionRequired, Error code: 3399548929, Tag: 558133255 │ Please explicitly log in with: │ az login --scope https://graph.microsoft.com/.default │ │ with provider["registry.terraform.io/hashicorp/azurerm"].management, │ on terraform.tf line 27, in provider "azurerm": │ 27: provider "azurerm" {
Issue script & Debug output
N/A
Expected behavior
Previous behavior
Environment Summary
azure-cli 2.62.0
core 2.62.0 telemetry 1.1.0
Extensions: azure-firewall 1.0.1
Dependencies: msal 1.28.1 azure-mgmt-resource 23.1.1
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\svaelter.azure\cliextensions'
Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]
Additional context
No response