search

Azure / azure-devops-cli-extension

Azure DevOps Extension for Azure CLI
https://docs.microsoft.com/en-us/cli/azure/ext/azure-devops/?view=azure-cli-latest
MIT License
618 stars 240 forks source link

Logging in to the Azure CLI does not provide access to `az devops` commands as expected #1258

Open mdekrey opened 2 years ago

mdekrey commented 2 years ago

Logging in to the Azure CLI does not provide access to az devops commands as expected

Command Name az devops project list (Extension Name: azure-devops. Version: 0.23.0.)

Errors:

Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials.  Please see https://aka.ms/azure-devops-cli-auth for more information.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Expected Behavior

A list of projects in my devops organizations should be presented.

Environment Summary

Windows-10-10.0.22000-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.34.1

Extensions:
azure-devops 0.23.0

Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0

Additional Context

The link in the error message does not provide further information on using az login for using AAD/MSA identity.

jikuja commented 2 years ago

I've had similar issues.

One cause for this is https://github.com/Azure/azure-devops-cli-extension/blob/master/azure-devops/azext_devops/dev/common/services.py#L165 hiding issues with token fetch. Exceptions are logged only with debug level.

Other minor issue with the selection of default subscription. The code does not work ATM at all. PR coming soon.

tharwan commented 1 year ago

any workaround for this?

jikuja commented 1 year ago

If i remember correctly using az login --tenant <guid> should fix most of the issues:

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

v-soujanya commented 1 year ago

Hi @mdekrey, Please find the below analysis for az login and az devops project list

  1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
  2. az devops project list : Please provide PAT token then you can see the project list.
tharwan commented 1 year ago

If i remember correctly using az login --tenant <guid> should fix most of the issues:

  • makes sure you are have tokens for tenant you want to use
  • goes through MFA if needed

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

does not work for me

jikuja commented 1 year ago

Hi @mdekrey, Please find the below analysis for az login and az devops project list

  1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
  2. az devops project list : Please provide PAT token then you can see the project list.

Not really true

  1. AZ CLI does not use Azure portal
  2. AZ ADO extension (does/)should not use subscription information by default a. Subscription information is only used if e.g. adding service connection to subscription
  3. Azure Devops can be used without subscriptions a. That kind of limitation would not make any sense. It would block all workload that are not specific for Azure workloads b. az login --allow-no-subscriptions - this will create dummy subscription on AZ CLI internal data structures

Current AAD token authentication in this extension is really buggy by hiding information and error from user and should be rewritten. (Issue describing the problems coming soon)

v-soujanya commented 1 year ago

@mdekrey, we recently started working on the CLI service and we have checked the code if you have Azure active Directory/Microsoft account (AAD/MSA) you can see the "az devops project list" output by using "az login" otherwise you need to use "az devops login" (provide PAT) to see the "az devops project list".

tharwan commented 1 year ago

fixed for me in the current version

ceciliasharp commented 1 year ago

Updating Azure CLI fixes the problem. Run: "az upgrade"

jikuja commented 1 year ago

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

Extension authentication is buggy(1)(2) and badly documented:

(1) https://github.com/Azure/azure-devops-cli-extension/commit/b3d0392d597a2eae5229e96059359d00fbb2e222 no new release after the commit (2) https://github.com/Azure/azure-devops-cli-extension/issues/1298

ceciliasharp commented 1 year ago

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

Extension authentication is buggy(1)(2) and badly documented:

  • does not mention you need to use az login --tenant <guid> with B2B guest accounts
  • does not mention that running az account set -n <subscription> would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392

(1) b3d0392 no new release after the commit (2) #1298

I'm sorry but that information is gone... But I'm guessing that I have been running on the same version for some years now. But did now setup the option of auto-upgrade that the upgrade hinted about so now I will stay up-to-date :-)