search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

Invoke-AzCostManagementQuery ignores -DefaultProfile parameter #22327

Closed kwill-MSFT closed 6 months ago

kwill-MSFT commented 1 year ago

Description

We use -DefaultProfile to pass in contexts mapped to the different tenants we are targeting. This works fine for most Az cmdlets, but Invoke-AzCostManagementQuery ignores this -DefaultProfile parameter and just uses whatever context was last set for the Powershell session (ie. the last Connect-AzAccount).

This makes Invoke-AzCostManagementQuery unusable in multi-threaded scenarios where different threads are executing against different contexts.

Issue script & Debug output

PS C:\Users\kwill> (Get-AzContext).Tenant.Id
DEBUG: 10:30:50 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:30:50 AM - GetAzureRMContextCommand end processing.
b5ba8111-2e1a-4cfc-89ef-be3a008028ab

PS C:\Users\kwill> $ctxAutomation.Tenant.Id
12f988bf-86f1-41af-91ab-2d7cd011db41

PS C:\Users\kwill> Invoke-AzCostManagementQuery -Scope $Scope -Timeframe 'MonthToDate' -Type 'ActualCost' -DatasetGranularity 'Monthly' -DatasetAggregation $Aggregation -DefaultProfile $ctxAutomation
DEBUG: 10:31:27 AM - InvokeAzRestMethodCommand begin processing with ParameterSet 'ByPath'.
DEBUG: 10:31:27 AM - using account id 'eadea216-1d5c-4a4b-beaf-4f145e6b1cb4'...
DEBUG: 10:31:27 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'eadea216-1d5c-4a4b-beaf-4f145e6b1cb4', environment: 'AzureCloud', tenant: 'b5ba8111-2e1a-4cfc-89ef-be3a008028ab'
DEBUG: 10:31:27 AM - [ServicePrincipalAuthenticator] Calling ClientSecretCredential.GetTokenAsync - ApplicationId:'eadea216-1d5c-4a4b-beaf-4f145e6b1cb4', TenantId:'b5ba8111-2e1a-4cfc-89ef-be3a008028ab', Scopes:'https://management.core.windows.net
//.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False

DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] === Token Acquisition (ClientCredentialRequest) started:
     Scopes: https://management.core.windows.net//.default
    Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:27Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] [Region discovery] Not using a regional authority. 
DEBUG: Request [e2cf1544-346a-4c31-bb9e-7341ccaa4db4] POST https://login.microsoftonline.com/b5ba8111-2e1a-4cfc-89ef-be3a008028ab/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:e2cf1544-346a-4c31-bb9e-7341ccaa4db4
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.9166.0; Microsoft Windows 10.0.22621 )
client assembly: Azure.Identity
DEBUG: Response [e2cf1544-346a-4c31-bb9e-7341ccaa4db4] 200 OK (00.2s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:ff3e952b-4ad5-4d22-98df-8aaabe9a9500
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 14 Jul 2023 15:31:27 GMT
Content-Length:1445

DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] ScopeSet was missing from the token response, so using developer provided scopes in the result. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] [SaveTokenResponseAsync] ID Token not present in response. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Cannot determine home account id - or id token or no client info and no subject 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.
default
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Intersecting scope entries count - 0
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] 
    === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8]  AT expiration time: 7/14/2023 4:31:27 PM +00:00, scopes: https://management.core.windows.net//.default. sour
ce: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-07-14 15:31:28Z - dcb5d12b-0dc3-4bf9-972f-4748ed33dfa8] Fetched access token from host login.microsoftonline.com. 
DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-07-14T16:31:27.0649145+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'b5ba8111-2e1a-4cfc-89ef-be3a008028ab', UserId: 'eadea216-1d5c-4a4b-beaf-4f145e6b1cb4'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://management.azure.com/subscriptions/c4054016-9644-49b7-985a-d3f588c0c7eb/providers/Microsoft.CostManagement/query?api-version=2019-11-01

Headers:
x-ms-client-request-id        : abd3dd26-50f5-405c-86b5-aed932c741b7
accept-language               : en-US

Body:
{
  "dataset": {
    "granularity": "Monthly",
    "aggregation": {
      "totalCost": {
        "name": "Cost",
        "function": "Sum"
      }
    }
  },
  "type": "ActualCost",
  "timeframe": "MonthToDate"
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : eb7289f6-e5bf-4021-a8a1-9f7fe6233b71
x-ms-correlation-request-id   : eb7289f6-e5bf-4021-a8a1-9f7fe6233b71
x-ms-routing-request-id       : SOUTHCENTRALUS:20230714T153128Z:eb7289f6-e5bf-4021-a8a1-9f7fe6233b71
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Connection                    : close
Cache-Control                 : no-cache
Date                          : Fri, 14 Jul 2023 15:31:27 GMT
WWW-Authenticate              : Bearer authorization_uri="https://login.windows.net/d58dbf8e-4b5e-45ed-96cd-8cf71a6a3f64", error="invalid_token", error_description="The access token is from the wrong issuer. It must match the tenant associated wi
th this subscription. Please use correct authority to get the token."

Body:
{
  "error": {
    "code": "InvalidAuthenticationTokenTenant",
    "message": "The access token is from the wrong issuer 'https://sts.windows.net/b5ba8111-2e1a-4cfc-89ef-be3a008028ab/'. It must match the tenant 'https://sts.windows.net/d58dbf8e-4b5e-45ed-96cd-8cf71a6a3f64/' associated with this subscription.
 Please use the authority (URL) 'https://login.windows.net/d58dbf8e-4b5e-45ed-96cd-8cf71a6a3f64' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant cou
ld take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
  }
}

DEBUG: 10:31:28 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:31:28 AM - InvokeAzRestMethodCommand end processing.

DEBUG: AzureQoSEvent:  Module: Az.CostManagement:0.3.0; CommandName: Invoke-AzCostManagementQuery; PSVersion: 5.1.22621.1778; IsSuccess: True; Duration: 00:00:00.3131856
Column Row
------ ---
{}     {}

Environment data

PS C:\Users\kwill> $PSVersionTable 

Name                           Value                                                                                                                                                                                                                 
----                           -----                                                                                                                                                                                                                 
PSVersion                      5.1.22621.1778                                                                                                                                                                                                        
PSEdition                      Desktop                                                                                                                                                                                                               
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                               
BuildVersion                   10.0.22621.1778                                                                                                                                                                                                       
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                       
WSManStackVersion              3.0                                                                                                                                                                                                                   
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                   
SerializationVersion           1.1.0.1

Module versions

PS C:\Users\kwill> Get-Module Az*

ModuleType Version    Name                                ExportedCommands                                                                                                                                                                           
---------- -------    ----                                ----------------                                                                                                                                                                           
Script     2.12.2     Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}                                                                                                                   
Script     0.3.0      Az.CostManagement                   {Get-AzCostManagementExport, Get-AzCostManagementExportExecutionHistory, Invoke-AzCostManagementExecuteExport, Invoke-AzCostManagementQuery...}                                            
Script     4.9.2      Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}                                                                   
Script     0.12.0     Az.ResourceGraph                    {Search-AzGraph, Get-AzResourceGraphQuery, New-AzResourceGraphQuery, Remove-AzResourceGraphQuery...}

Error output

No response

isra-fel commented 1 year ago

Thanks for the feedback @kwil-MSFT ! We'd like to understand better about your scenario. Is it possible to share the whole script (internally if it contains sensitive info)? We are particularly interested in how you authenticate for different tenants and how you utilize multi-thread, how they cooperate with each other as well.

cc @dolauli

isra-fel commented 1 year ago

Misspelled the user name ... @kwill-MSFT could you share your scenario or script? Thanks.

ghost commented 1 year ago

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

kwill-MSFT commented 1 year ago

Provided additional context and details internally.

Simple repro:

$SubId1 = "1237f4d2-3dce-4b96-ad95-677f764e7123"
$TenantId1 = "123988bf-86f1-41af-91ab-2d7cd011d123"

$SubId2 = "123b7f32-b384-448e-ab45-98eb07d12123"
$TenantId2 = "12306220-b94c-4f6b-b120-59bda4a79123"

$Aggregation = @{
    totalCost = @{
        name     = "Cost"
        function = "Sum"
    }
}

$DebugPreference = 'continue'

$ctx1 = Connect-AzAccount -Tenant $TenantId1 -Subscription $SubId1
#This works because the current context is Tenant1
Invoke-AzCostManagementQuery -Scope "/subscriptions/$SubId1" -Timeframe 'MonthToDate' -Type 'ActualCost' -DatasetGranularity 'Monthly' -DatasetAggregation $Aggregation -DefaultProfile $ctx1

$ctx2 = Connect-AzAccount -Tenant $TenantId2 -Subscription $SubId2
#This fails with InvalidAuthenticationTokenTenant because I am trying to use the -DefaultProfile $ctx1 from Tenant1, but the current PS context is Tenant2
Invoke-AzCostManagementQuery -Scope "/subscriptions/$SubId1" -Timeframe 'MonthToDate' -Type 'ActualCost' -DatasetGranularity 'Monthly' -DatasetAggregation $Aggregation -DefaultProfile $ctx1
isra-fel commented 6 months ago

Tracked by https://github.com/Azure/azure-powershell/issues/21688