search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.82k forks source link

Connect-AzAccount -Identity send invalid request when environment variables for Workload Identity are set #22213

Open J0F3 opened 1 year ago

J0F3 commented 1 year ago

Description

When running Connect-AzAccount -Identity on an host where the environment variables for Workload Identity are set (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE and AZURE_AUTHORITY_HOST env variables) the login fails with: ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter.

It seems that during the login the Workload Identity environment variables are get detected and Connect-AzAccount unintentionally try to login with WorkloadIdentityCredential / FederatedToken despite -Identity ist specified.

I think this is a bug. I see two variant how this could be fixed:

  1. Connect-AzAccount stays with the Managed Identity Login by requesting the Access Token still from the IMDS (aka. http://169.254.169.254/metadata/identity/oauth2/token) despite the existence of the env variables. Which is probably the behavior which one would expect when specifying the -Identity parameter.
  2. The Login is made autmatically whith WorkloadIdentityCredential when the env variables are set. (what currently seems to be happend). But in this case the POST request made by Connect-AzAccount to "https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token" must be fixed so the login actually works.

Issue script & Debug output

Connect-AzAccount -Identity

DEBUG: Initializing ConditionalAssemblyContext. PSEdition is [Core]. PSVersion is [7.3.4].
DEBUG: Initializing ConditionalAssemblyProvider. AssemblyRootPath is [/usr/local/share/powershell/Modules/Az.Accounts/2.12.3/StartupScripts/../lib].
DEBUG: Registering Az shared AssemblyLoadContext.
DEBUG: AssemblyLoadContext registered.
DEBUG: Got version 0 of Az
DEBUG: Got version 0 of Az.Accounts
DEBUG: 16:01:31 - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ManagedServiceLogin'.
DEBUG: 16:01:31 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 16:01:31 - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
DEBUG: 16:01:31 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 16:01:31 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 16:01:31 - Using Autosave scope 'CurrentUser'
DEBUG: 16:01:31 - [ManagedServiceIdentityAuthenticator] Calling ManagedIdentityCredential.GetTokenAsync - TenantId:'organizations', Scopes:'https://management.core.windows.net/', UserId:''
DEBUG: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: 
DEBUG: ClientAssertionCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(d7c8e151-1a70-4b32-a176-0e43cb4e9573)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net/
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - d7c8e151-1a70-4b32-a176-0e43cb4e9573
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] === Token Acquisition (ClientCredentialRequest) started:
     Scopes: https://management.core.windows.net/
    Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Fetching instance discovery from the network from host login.microsoftonline.com. 
DEBUG: Request [89edea45-c40d-4567-88aa-a50f8ae08268] GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:89edea45-c40d-4567-88aa-a50f8ae08268
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET 7.0.5; Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023)
client assembly: Azure.Identity
DEBUG: Response [89edea45-c40d-4567-88aa-a50f8ae08268] 200 OK (00.2s)
Cache-Control:max-age=86400, private
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:57ef068d-1fac-46c0-a2b5-b2d16aa22b00
x-ms-ests-server:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Fri, 30 Jun 2023 16:01:31 GMT
Content-Type:application/json; charset=utf-8
Content-Length:980
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Authority validation enabled? True. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Authority validation - is known env? True. 
DEBUG: Request [ad474182-1bc7-4222-a9dc-7413a4980088] POST https://login.microsoftonline.com/af7227b1-ac3a-4487-9e9f-ba462bb409d4/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:ad474182-1bc7-4222-a9dc-7413a4980088
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET 7.0.5; Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023)
client assembly: Azure.Identity
DEBUG: Error response [ad474182-1bc7-4222-a9dc-7413a4980088] 400 Bad Request (00.0s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:6876ec3d-4a33-4003-9af7-ae0a4dc32400
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Fri, 30 Jun 2023 16:01:31 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:551
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Response status code does not indicate success: 400 (BadRequest). 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Request retry failed.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] HttpStatusCode: 400: BadRequest
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] === Token Acquisition (1004) failed.
    Host: login.microsoftonline.com.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_scope
HTTP StatusCode 400
CorrelationId d7c8e151-1a70-4b32-a176-0e43cb4e9573
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Fetching a new AT failed. Is exception retry-able? False. Is there an AT in the cache that is usable? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Either the exception does not indicate a problem with AAD or the token cache does not have an AT that is usable. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.5 Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023 [2023-06-30 16:01:32Z - d7c8e151-1a70-4b32-a176-0e43cb4e9573] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_scope
HTTP StatusCode 400
CorrelationId d7c8e151-1a70-4b32-a176-0e43cb4e9573
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
DEBUG: ClientAssertionCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net/ ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
 ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
DEBUG: ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net/ ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
 ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
WARNING: Unable to acquire token for tenant 'organizations' with error 'ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z'
DEBUG: 16:01:32 - Unable to acquire token for tenant 'organizations' with error 'Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
 ---> MSAL.NetCore.4.49.1.0.MsalServiceException: 
    ErrorCode: invalid_scope
Microsoft.Identity.Client.MsalServiceException: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.ClientAssertionCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
    StatusCode: 400 
    ResponseBody: {"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.\r\nTrace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400\r\nCorrelation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573\r\nTimestamp: 2023-06-30 16:01:32Z","error_codes":[70011],"timestamp":"2023-06-30 16:01:32Z","trace_id":"6876ec3d-4a33-4003-9af7-ae0a4dc32400","correlation_id":"d7c8e151-1a70-4b32-a176-0e43cb4e9573"} 
    Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: d7c8e151-1a70-4b32-a176-0e43cb4e9573
x-ms-request-id: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
x-ms-ests-server: 2.1.15723.3 - NEULR1 ProdSlices
x-ms-clitelem: 1,70011,0,,
X-XSS-Protection: 0
Set-Cookie: fpc=AlAZ2br5N9dGr-vy0Jc7UMY; expires=Sun, 30-Jul-2023 16:01:32 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Fri, 30 Jun 2023 16:01:31 GMT
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ClientAssertionCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.TokenExchangeManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTokenAcquirer.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)'
DEBUG: Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
 ---> MSAL.NetCore.4.49.1.0.MsalServiceException: 
    ErrorCode: invalid_scope
Microsoft.Identity.Client.MsalServiceException: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.ClientAssertionCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
    StatusCode: 400 
    ResponseBody: {"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.\r\nTrace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400\r\nCorrelation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573\r\nTimestamp: 2023-06-30 16:01:32Z","error_codes":[70011],"timestamp":"2023-06-30 16:01:32Z","trace_id":"6876ec3d-4a33-4003-9af7-ae0a4dc32400","correlation_id":"d7c8e151-1a70-4b32-a176-0e43cb4e9573"} 
    Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: d7c8e151-1a70-4b32-a176-0e43cb4e9573
x-ms-request-id: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
x-ms-ests-server: 2.1.15723.3 - NEULR1 ProdSlices
x-ms-clitelem: 1,70011,0,,
X-XSS-Protection: 0
Set-Cookie: fpc=AlAZ2br5N9dGr-vy0Jc7UMY; expires=Sun, 30-Jul-2023 16:01:32 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Fri, 30 Jun 2023 16:01:31 GMT
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ClientAssertionCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.TokenExchangeManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTokenAcquirer.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
Connect-AzAccount: /builds/diemobiliar/it/acp/monitoring/acp-monitoring-iac/test-login.ps1:4
Line |
   4 |  Connect-AzAccount -Identity
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ClientAssertionCredential authentication failed: AADSTS70011: The
     | provided request must include a 'scope' input parameter. The provided
     | value for the input parameter 'scope' is not valid. The scope
     | https://management.core.windows.net/ is not valid. Trace ID:
     | 6876ec3d-4a33-4003-9af7-ae0a4dc32400 Correlation ID:
     | d7c8e151-1a70-4b32-a176-0e43cb4e9573 Timestamp: 2023-06-30 16:01:32Z
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.3; CommandName: Connect-AzAccount; PSVersion: 7.3.4; IsSuccess: False; Duration: 00:00:00.6503690; Exception: ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.core.windows.net/ is not valid.
Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
Timestamp: 2023-06-30 16:01:32Z;
DEBUG: 16:01:32 - ConnectAzureRmAccountCommand end processing.

Environment data

Key   : PSVersion
Value : 7.3.4
Name  : PSVersion
Key   : PSEdition
Value : Core
Name  : PSEdition
Key   : GitCommitId
Value : 7.3.4
Name  : GitCommitId
Key   : OS
Value : Linux 5.15.0-1039-azure #46-Ubuntu SMP Mon May 22 15:18:07 UTC 2023
Name  : OS
Key   : Platform
Value : Unix
Name  : Platform
Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0…}
Name  : PSCompatibleVersions
Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion
Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion
Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Module versions

Name              : Az.Accounts
Path              : /usr/local/share/powershell/Modules/Az.Accounts/2.12.3/Az.A
                    ccounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management
                     cmdlets for Azure Resource Manager in Windows PowerShell a
                    nd PowerShell Core.

                    For more information on account credential management, plea
                    se visit the following: https://learn.microsoft.com/powersh
                    ell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.12.3
ModuleBase        : /usr/local/share/powershell/Modules/Az.Accounts/2.12.3
ModuleType        : Script
PrivateData       : {[PSData, System.Collections.Hashtable]}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomai
                    n], [Invoke-AzRest, Invoke-AzRest], [Login-AzAccount, Login
                    -AzAccount]…}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, C
                    lear-AzConfig], [Clear-AzContext, Clear-AzContext], [Clear-
                    AzDefault, Clear-AzDefault]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

DEBUG: 16:01:32 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
   HistoryId: 1
Message        : ClientAssertionCredential authentication failed: AADSTS70011: 
                 The provided request must include a 'scope' input parameter. T
                 he provided value for the input parameter 'scope' is not valid
                 . The scope https://management.core.windows.net/ is not valid.
                 Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
                 Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
                 Timestamp: 2023-06-30 16:01:32Z
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThro
                 w(Exception ex, String additionalMessage)
                    at Azure.Identity.ClientAssertionCredential.GetTokenAsync(T
                 okenRequestContext requestContext, CancellationToken cancellat
                 ionToken)
                    at Azure.Identity.TokenExchangeManagedIdentitySource.Authen
                 ticateAsync(Boolean async, TokenRequestContext context, Cancel
                 lationToken cancellationToken)
                    at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(B
                 oolean async, TokenRequestContext context, CancellationToken c
                 ancellationToken)
                    at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsy
                 nc(Boolean async, TokenRequestContext requestContext, Cancella
                 tionToken cancellationToken)
                    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThro
                 w(Exception ex, String additionalMessage)
                    at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsy
                 nc(Boolean async, TokenRequestContext requestContext, Cancella
                 tionToken cancellationToken)
                    at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(T
                 okenRequestContext requestContext, CancellationToken cancellat
                 ionToken)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToke
                 nAcquirer.GetAccessTokenAsync(String callerClassName, String p
                 arametersLog, TokenCredential tokenCredential, TokenRequestCon
                 text requestContext, CancellationToken cancellationToken, Stri
                 ng tenantId, String userId, String homeAccountId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.Authenticate(IAzureAccount account, IAz
                 ureEnvironment environment, String tenant, SecureString passwo
                 rd, String promptBehavior, Action`1 promptAction, IAzureTokenC
                 ache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfil
                 eClient.AcquireAccessToken(IAzureAccount account, IAzureEnviro
                 nment environment, String tenantId, SecureString password, Str
                 ing promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfil
                 eClient.ListAccountTenants(IAzureAccount account, IAzureEnviro
                 nment environment, SecureString password, String promptBehavio
                 r, Action`1 promptAction)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfil
                 eClient.Login(IAzureAccount account, IAzureEnvironment environ
                 ment, String tenantIdOrName, String subscriptionId, String sub
                 scriptionName, SecureString password, Boolean skipValidation, 
                 Action`1 promptAction, String name, Boolean shouldPopulateCont
                 extList, Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCo
                 mmand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispa
                 tchLoop(Thread threadPoolThread, ExecutionContext executionCon
                 text, ContextCallback callback, Object state)
                 --- End of stack trace from previous location ---
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispa
                 tchLoop(Thread threadPoolThread, ExecutionContext executionCon
                 text, ContextCallback callback, Object state)
                    at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task&
                  currentTaskSlot, Thread threadPoolThread)
                 --- End of stack trace from previous location ---
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCo
                 mmand.<>c__DisplayClass127_0.<ExecuteCmdlet>b__1(AzureRmProfil
                 e localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCo
                 mmand.<>c__DisplayClass136_0.<SetContextWithOverwritePrompt>b_
                 _0(AzureRmProfile prof, RMProfileClient client)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModi
                 ficationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCo
                 mmand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCo
                 mmand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletE
                 xtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletE
                 xtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 ex
                 ecutor)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletE
                 xtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePS
                 Cmdlet.ProcessRecord()
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Identity

Position       : At /builds/diemobiliar/it/acp/monitoring/acp-monitoring-iac/te
                 st-login.ps1:4 char:1
                 + Connect-AzAccount -Identity
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 1
Message        : AADSTS70011: The provided request must include a 'scope' input
                  parameter. The provided value for the input parameter 'scope'
                  is not valid. The scope https://management.core.windows.net/ 
                 is not valid.
                 Trace ID: 6876ec3d-4a33-4003-9af7-ae0a4dc32400
                 Correlation ID: d7c8e151-1a70-4b32-a176-0e43cb4e9573
                 Timestamp: 2023-06-30 16:01:32Z
StackTrace     :    at Microsoft.Identity.Client.Internal.Requests.RequestBase.
                 HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAcces
                 sTokenCacheItem cachedAccessTokenItem)
                    at Microsoft.Identity.Client.Internal.Requests.ClientCreden
                 tialRequest.ExecuteAsync(CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.
                 RunAsync(CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.ApiConfig.Executors.Confidenti
                 alClientExecutor.ExecuteAsync(AcquireTokenCommonParameters com
                 monParameters, AcquireTokenForClientParameters clientParameter
                 s, CancellationToken cancellationToken)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExten
                 sions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 b
                 uilder, Boolean async, CancellationToken cancellationToken)
                    at Azure.Identity.MsalConfidentialClient.AcquireTokenForCli
                 entCoreAsync(String[] scopes, String tenantId, Boolean async, 
                 CancellationToken cancellationToken)
                    at Azure.Identity.MsalConfidentialClient.AcquireTokenForCli
                 entAsync(String[] scopes, String tenantId, Boolean async, Canc
                 ellationToken cancellationToken)
                    at Azure.Identity.ClientAssertionCredential.GetTokenAsync(T
                 okenRequestContext requestContext, CancellationToken cancellat
                 ionToken)
Exception      : Microsoft.Identity.Client.MsalServiceException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Identity

Position       : At /builds/diemobiliar/it/acp/monitoring/acp-monitoring-iac/te
                 st-login.ps1:4 char:1
                 + Connect-AzAccount -Identity
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 1
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.3; CommandName: Resolve-AzError; PSVersion: 7.3.4; IsSuccess: True; Duration: 00:00:00.0253752
DEBUG: 16:01:32 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 16:01:32 - ResolveError end processing.
dolauli commented 1 year ago

Thanks for reporting the issue. @msJinLei Please take a look.

msJinLei commented 1 year ago

@J0F3 Thanks for reporting the issue. It is caused by the Environment variables set. Azure.Identity selects TokenExchangeManagedIdentity as the MSI source. The Scopes TokenExchange uses is different from other MSI sources, but share the same interface from TokenRequestContext, which cause the failure.

I also find Azure.Identity has a variable called ExcludeTokenExchangeManagedIdentitySource, which can disable TokenExchangeManagedIdentitySource. But for current design we are unable to use the property. I create an ask for Azure.Identity https://github.com/Azure/azure-sdk-for-net/issues/37453 CC @dolauli @isra-fel

For WorkloadIdentityCredential, we don't support yet and will estimate this new feature soon.

J0F3 commented 1 year ago

@msJinLei Thank you for the update.

For WorkloadIdentityCredential, we don't support yet and will estimate this new feature soon.

Does that mean Azure PowerShell does not support login with Workload Identity at all yet? We got it working with the -FederatedToken parameter and explicitly passing the env variables of Workload Identity to PowerShell. (I think it is basically the same as how it works with Azure CLI also) e.g.:

Connect-AzAccount -ServicePrincipal -ApplicationId $env:AZURE_CLIENT_ID -FederatedToken $(Get-Content  $env:AZURE_FEDERATED_TOKEN_FILE -raw) -Tenant $env:AZURE_TENANT_ID -Subscription $env:ARM_SUBSCRIPTION_ID

Can we use that when we want to switch to Workload Identity or is it actually not really supported yet to use the -FederatedToken parameter for login with Workload Identity?

msJinLei commented 1 year ago

@msJinLei Lei Jin FTE Thank you for the update.

For WorkloadIdentityCredential, we don't support yet and will estimate this new feature soon.

Does that mean Azure PowerShell does not support login with Workload Identity at all yet?

The workaround is to use FederatedToken parameter to login.

We got it working with the -FederatedToken parameter and explicitly passing the env variables of Workload Identity to PowerShell. (I think it is basically the same as how it works with Azure CLI also) e.g.:

Connect-AzAccount -ServicePrincipal -ApplicationId $env:AZURE_CLIENT_ID -FederatedToken $(Get-Content  $env:AZURE_FEDERATED_TOKEN_FILE -raw) -Tenant $env:AZURE_TENANT_ID -Subscription $env:ARM_SUBSCRIPTION_ID

Yes, it's right!

Per my understanding, the implication of WorkloadIdentityCredential is to take advantage of the evn variable directly. We currently support so-called ClientAssertion way to login. But you should specify the token and tenant to the parameters by your selves. https://github.com/Azure/azure-powershell/blob/7407fb00a5c87de5dcc5725a737561049d08a967/src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs#L463