search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.04k stars 3.01k forks source link

Failed to connect to MSI to create service principle #29712

Open sylvia-zzy opened 3 months ago

sylvia-zzy commented 3 months ago

Describe the bug

I am following a lab in MS Learn https://microsoftlearning.github.io/mslearn-ai-services/Instructions/Exercises/02-ai-services-security.html#secure-key-access-with-azure-key-vault.

The part creating service principle stopped me.

Related command

az ad sp create-for-rbac -n "api://" --role owner --scopes subscriptions//resourceGroups/

Errors

Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

Issue script & Debug output

cli.knack.cli: Command arguments: ['ad', 'sp', 'create-for-rbac', '-n', 'api://ai-app', '--role', 'owner', '--scopes', 'subscriptions/c46ffa71-c974-4749-a21a-f9ce60c39b67/resourceGroups/AItest', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fbce3086160>, <function OutputProducer.on_global_arguments at 0x7fbce2fa0d30>, <function CLIQuery.on_global_arguments at 0x7fbce2f37310>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: role 0.004 17 61 cli.azure.cli.core: Total (1) 0.004 17 61 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: ai-examples 0.114 1 1 /usr/lib/python3.9/site-packages/azure-cli-extensions/ai-examples cli.azure.cli.core: Total (1) 0.114 1 1
cli.azure.cli.core: Loaded 18 groups, 62 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : ad sp create-for-rbac cli.azure.cli.core: Command table: ad sp create cli.azure.cli.core: remaining : for-rbac cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fbce23e7820>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/sylvia/.azure/commands/2024-08-13.15-48-37.ad_sp_create-for-rbac.6754.log'. az_command_data_logger: command args: ad sp create-for-rbac -n {} --role {} --scopes {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fbce238f430>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fbce23b5430>, <function register_cache_arguments..add_cache_arguments at 0x7fbce235b310>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fbce2fa0dc0>, <function CLIQuery.handle_query_parameter at 0x7fbce2f373a0>, <function register_ids_argument..parse_ids_arguments at 0x7fbce235b280>]cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342 urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 400 126 msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://graph.microsoft.com/'} msrestazure.azure_active_directory: MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of '400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token'. This could be caused by the MSI extension not yet fully provisioned. cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication: Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token super().set_token() File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in settoken self.scheme, , self.token = get_msi_token(self.resource, self.port, self.msi_conf) File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token result.raise_for_status() File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 1024, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token super().set_token() File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in settoken self.scheme, , self.token = get_msi_token(self.resource, self.port, self.msi_conf) File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token result.raise_for_status() File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 1024, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 87, in set_token .format(err.response.status, err.response.reason)) AttributeError: 'Response' object has no attribute 'status'

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job return cmd_copy.exception_handler(ex) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler raise ex File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job result = cmd_copy(params) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(*args, kwargs) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler return op(command_args) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/custom.py", line 1174, in create_service_principal_for_rbac existing_sps = list(graph_client.service_principal_list(filter=query_exp)) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 179, in service_principal_list result = self._send("GET", "/servicePrincipals" + _filter_to_query(filter)) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param, File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/util.py", line 983, in send_raw_request tokeninfo, , _ = profile.get_raw_token(resource) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/_profile.py", line 401, in get_raw_token msi_creds = MsiAccountTypes.msi_auth_factory(MsiAccountTypes.system_assigned, identity_id, File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/_profile.py", line 734, in msi_auth_factory return MSIAuthenticationWrapper(resource=resource) File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 592, in init self.set_token() File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 89, in set_token raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n' azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]> az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]> cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fbce23e7a60>] az_command_data_logger: exit code: 1 cli.main: Command ran in 40.375 seconds (init: 0.104, invoke: 40.271) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 4045 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "/usr/bin/python3.9 /usr/lib/az/lib/python3.9/site-packages/azure/cli/telemetry/init.py /home/sylvia/.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

Output of the code should be something like 

{
    "appId": "abcd12345efghi67890jklmn",
    "displayName": "api://ai-app-",
    "password": "1a2b3c4d5e6f7g8h9i0j",
    "tenant": "1234abcd5678fghi90jklm"
}

Environment Summary

{ "azure-cli": "2.62.0", "azure-cli-core": "2.62.0", "azure-cli-telemetry": "1.1.0", "extensions": { "ai-examples": "0.2.5", "ml": "2.28.0", "ssh": "2.0.5" } }

Additional context

Previous issues suggested I might use az login. but I had login by browser when opening Azure Cloud Powershell. The following command and return indicated the successful login.

az account show
{ "environmentName": "AzureCloud", "homeTenantId": "5b973f99-77df-4beb-b27d-aa0c70b8482c", "id": "c46ffa71-c974-4749-a21a-f9ce60c39b67", "isDefault": true, "managedByTenants": [], "name": "Visual Studio Professional Subscription - Tim", "state": "Enabled", "tenantId": "5b973f99-77df-4beb-b27d-aa0c70b8482c", "user": { "cloudShellID": true, "name": "Sylvia.ZY.Zhu@hk.ey.com", "type": "user" } }

The following command and return not able to let me re-login because company's policy not allow that.

az login Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code S76HWXNWM to authenticate.

Additionally, even in the lab in MS Learn, I am not able to login Azure. It direct me to the following page with url " Login failed"

image

azure-client-tools-bot-prd[bot] commented 3 months ago

Hi @sylvia-zzy,

2.62.0 is not the latest Azure CLI(2.63.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 3 months ago

Thank you for opening this issue, we will look into it.

jiasli commented 3 months ago

The requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token error could be related to https://github.com/Azure/azure-cli/issues/11749. I will contact Cloud Shell team internally.

As for the access_denied, @rayluo, are you aware of this failure which doesn't have error_description or error_uri?

rayluo commented 3 months ago

Additionally, even in the lab in MS Learn, I am not able to login Azure. It direct me to the following page with url "Login failed" http://localhost:50120/?error=access_denied&error_subcode=cancel&state=TlfchDPFkwdVXqmA)

As for the access_denied, @rayluo, are you aware of this failure which doesn't have error_description or error_uri?

Not sure. Better have a repro before we can investigate.