Azure OIDC login fails in Github Actions

v2kiran commented 1 year ago

Description

the following fails:

            Disable-AzContextAutosave -Scope Process
              Connect-azaccount -TenantId ${{ env.ARM_TENANT_ID }} -ApplicationId ${{ env.ARM_CLIENT_ID }} -federatedtoken $GitToken -ServicePrincipal -erroraction stop

Issue script & Debug output

DEBUG: Initializing ConditionalAssemblyContext. PSEdition is [Core]. PSVersion is [7.3.6].
DEBUG: Initializing ConditionalAssemblyProvider. AssemblyRootPath is [/usr/local/share/powershell/Modules/Az.Accounts/2.12.5/StartupScripts/../lib].
DEBUG: Registering Az shared AssemblyLoadContext.
DEBUG: AssemblyLoadContext registered.
DEBUG: Got version 0 of Az
DEBUG: Got version 0 of Az.Accounts
DEBUG: 17:26:27 - DisableAzureRmContextAutosave begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Setting Autosave scope to 'Process' as specified in the cmdlet parameters.
DEBUG: 17:26:27 - Using Autosave scope 'Process'

Mode             : Process
ContextDirectory : 
ContextFile      : 
CacheDirectory   : 
CacheFile        : 
KeyStoreFile     : 
Settings         : {}

DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Disable-AzContextAutosave; PSVersion: 7.3.6; IsSuccess: True; Duration: 00:00:00.4122006
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - DisableAzureRmContextAutosave end processing.
DEBUG: 17:26:27 - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ClientAssertionParameterSet'.
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
DEBUG: 17:26:27 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:27 - Autosave setting from startup session: 'Process'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Using Autosave scope 'Process'
DEBUG: 17:26:27 - Autosave setting from startup session: 'Process'
DEBUG: 17:26:27 - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 17:26:27 - Using Autosave scope 'Process'
DEBUG: 17:26:27 - [ClientAssertionAuthenticator] Calling ClientAssertionCredential.GetTokenAsync - ClientId:'***', TenantId:'***', ClientAssertion:'***' Scopes:'https://management.core.windows.net//.default'
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Linux 5.10.102.2-microsoft-standard #1 SMP Mon M…
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Name              : Az.Accounts
Path              : /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Az.A
                    ccounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management
                     cmdlets for Azure Resource Manager in Windows PowerShell a
                    nd PowerShell Core.

                    For more information on account credential management, plea
                    se visit the following: https://learn.microsoft.com/powersh
                    ell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.12.5
ModuleBase        : /usr/local/share/powershell/Modules/Az.Accounts/2.12.5
ModuleType        : Script
PrivateData       : {[PSData, System.Collections.Hashtable]}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomai
                    n], [Invoke-AzRest, Invoke-AzRest], [Login-AzAccount, Login
                    -AzAccount]…}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, C
                    lear-AzConfig], [Clear-AzContext, Clear-AzContext], [Clear-
                    AzDefault, Clear-AzDefault]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

DEBUG: 17:26:28 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 17:26:28 - using account id '***'...
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
InnerException   : False
Exception        : System.ArgumentNullException: Persistence check failed. Insp
                   ect inner exception for details
                   Could not find tenant id for provided tenant domain 'e6f7641
                   c-0828-43ab-a963-69cae0d256a4'. 
                    ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePer
                   sistenceException: Persistence check failed. Inspect inner e
                   xception for details
                    ---> System.DllNotFoundException: Unable to load shared lib
                   rary 'libsecret-1.so.0' or one of its dependencies. In order
                    to help diagnose loading problems, consider using a tool li
                   ke strace. If you're using glibc, consider setting the LD_DE
                   BUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory

                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      --- End of inner exception stack trace ---
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      --- End of inner exception stack trace ---
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                      at System.Threading.Tasks.Task`1.InnerInvoke()
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                   --- End of stack trace from previous location ---
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                      at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Tas
                   k& currentTaskSlot, Thread threadPoolThread)
                   --- End of stack trace from previous location ---
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_1.<ExecuteCmdlet>b__1(AzureRmPr
                   ofile localProfile, RMProfileClient profileClient, String na
                   me)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass136_0.<SetContextWithOverwritePromp
                   t>b__0(AzureRmProfile prof, RMProfileClient client)
                      at Microsoft.Azure.Commands.Profile.Common.AzureContextMo
                   dificationCmdlet.ModifyContext(Action`2 contextAction)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.SetContextWithOverwritePrompt(Action`3 setContextAct
                   ion)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.ExecuteCmdlet()
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c
                   )
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`
                   1 executor)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Azure
                   PSCmdlet.ProcessRecord()
Message          : Persistence check failed. Inspect inner exception for detail
                   s
                   Could not find tenant id for provided tenant domain 'e6f7641
                   c-0828-43ab-a963-69cae0d256a4'. 
StackTrace       :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                      at System.Threading.Tasks.Task`1.InnerInvoke()
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                   --- End of stack trace from previous location ---
                      at System.Threading.ExecutionContext.RunFromThreadPoolDis
                   patchLoop(Thread threadPoolThread, ExecutionContext executio
                   nContext, ContextCallback callback, Object state)
                      at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Tas
                   k& currentTaskSlot, Thread threadPoolThread)
                   --- End of stack trace from previous location ---
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass127_1.<ExecuteCmdlet>b__1(AzureRmPr
                   ofile localProfile, RMProfileClient profileClient, String na
                   me)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.<>c__DisplayClass136_0.<SetContextWithOverwritePromp
                   t>b__0(AzureRmProfile prof, RMProfileClient client)
                      at Microsoft.Azure.Commands.Profile.Common.AzureContextMo
                   dificationCmdlet.ModifyContext(Action`2 contextAction)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.SetContextWithOverwritePrompt(Action`3 setContextAct
                   ion)
                      at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccount
                   Command.ExecuteCmdlet()
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c
                   )
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`
                   1 executor)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Cmdle
                   tExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                      at Microsoft.WindowsAzure.Commands.Utilities.Common.Azure
                   PSCmdlet.ProcessRecord()
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1

InnerException   : False
Exception        : Microsoft.Identity.Client.Extensions.Msal.MsalCachePersisten
                   ceException: Persistence check failed. Inspect inner excepti
                   on for details
                    ---> System.DllNotFoundException: Unable to load shared lib
                   rary 'libsecret-1.so.0' or one of its dependencies. In order
                    to help diagnose loading problems, consider using a tool li
                   ke strace. If you're using glibc, consider setting the LD_DE
                   BUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory

                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      --- End of inner exception stack trace ---
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
Message          : Persistence check failed. Inspect inner exception for detail
                   s
StackTrace       :    at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
                      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHel
                   per.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lCacheHelperWrapper.VerifyPersistence()
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.GetCacheHelperAsync(Boolean async, CancellationToken
                    cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Tok
                   enCache.RegisterCache(Boolean async, ITokenCache tokenCache,
                    CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lClientBase`1.GetClientAsync(Boolean async, CancellationToke
                   n cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientCoreAsync(String[] 
                   scopes, String tenantId, Boolean async, CancellationToken ca
                   ncellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Msa
                   lConfidentialClient.AcquireTokenForClientAsync(String[] scop
                   es, String tenantId, Boolean async, CancellationToken cancel
                   lationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.Identity.Cli
                   entAssertionCredential.GetTokenAsync(TokenRequestContext req
                   uestContext, CancellationToken cancellationToken)
                      at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTo
                   ken.GetAccessTokenAsync(String callerClassName, String param
                   etersLog, TokenCredential tokenCredential, TokenRequestConte
                   xt requestContext, CancellationToken cancellationToken, Stri
                   ng tenantId, String userId, String homeAccountId)
                      at Microsoft.Azure.Commands.Common.Authentication.Factori
                   es.AuthenticationFactory.Authenticate(IAzureAccount account,
                    IAzureEnvironment environment, String tenant, SecureString 
                   password, String promptBehavior, Action`1 promptAction, IAzu
                   reTokenCache tokenCache, String resourceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.AcquireAccessToken(IAzureAccount account, IAzureEn
                   vironment environment, String tenantId, SecureString passwor
                   d, String promptBehavior, Action`1 promptAction, String reso
                   urceId)
                      at Microsoft.Azure.Commands.ResourceManager.Common.RMProf
                   ileClient.Login(IAzureAccount account, IAzureEnvironment env
                   ironment, String tenantIdOrName, String subscriptionId, Stri
                   ng subscriptionName, SecureString password, Boolean skipVali
                   dation, IOpenIDConfiguration openIDConfigDoc, Action`1 promp
                   tAction, String name, Boolean shouldPopulateContextList, Int
                   32 maxContextPopulation, String authScope)
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1

InnerException   : False
Exception        : System.DllNotFoundException: Unable to load shared library '
                   libsecret-1.so.0' or one of its dependencies. In order to he
                   lp diagnose loading problems, consider using a tool like str
                   ace. If you're using glibc, consider setting the LD_DEBUG en
                   vironment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory

                      at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
Message          : Unable to load shared library 'libsecret-1.so.0' or one of i
                   ts dependencies. In order to help diagnose loading problems,
                    consider using a tool like strace. If you're using glibc, c
                   onsider setting the LD_DEBUG environment variable: 
                   /opt/microsoft/powershell/7/libsecret-1.so.0.so: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0.so: cannot o
                   pen shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0.so: canno
                   t open shared object file: No such file or directory
                   /opt/microsoft/powershell/7/libsecret-1.so.0: cannot open sh
                   ared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/libsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /opt/microsoft/powershell/7/liblibsecret-1.so.0: cannot open
                    shared object file: No such file or directory
                   /usr/local/share/powershell/Modules/Az.Accounts/2.12.5/Start
                   upScripts/../lib/netcoreapp3.1/liblibsecret-1.so.0: cannot o
                   pen shared object file: No such file or directory

StackTrace       :    at Microsoft.Identity.Client.Extensions.Msal.Libsecret.se
                   cret_schema_new(String name, Int32 flags, String attribute1,
                    Int32 attribute1Type, String attribute2, Int32 attribute2Ty
                   pe, IntPtr end)
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.GetLibsecretSchema()
                      at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyring
                   Accessor.Write(Byte[] data)
                      at Microsoft.Identity.Client.Extensions.Msal.Storage.Veri
                   fyPersistence()
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : CloseError: (:) [Connect-AzAccount], ArgumentNullException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/docker/actions-runner/_work/_temp/45
                   c02185-83e4-4dc2-98b3-43a024bcc428.ps1: line 23
                   at <ScriptBlock>, <No file>: line 1

DEBUG: 17:26:28 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Resolve-AzError; PSVersion: 7.3.6; IsSuccess: True; Duration: 00:00:00.1913811
DEBUG: 17:26:28 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:26:28 - ResolveError end processing.

isra-fel commented 1 year ago

Hey @msJinLei I see "Could not find tenant id for provided tenant domain 'xxx'." in the result of Resolve-AzError (where xxx is a GUID) . Could this be related to the updates we made last sprint about parsing domains?

v2kiran commented 11 months ago

Any update on this?

msJinLei commented 10 months ago

Hey @msJinLei I see "Could not find tenant id for provided tenant domain 'xxx'." in the result of Resolve-AzError (where xxx is a GUID) . Could this be related to the updates we made last sprint about parsing domains?

The reported error is ---> System.DllNotFoundException: Unable to load shared lib rary 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider using a tool li ke strace. If you're using glibc, consider setting the LD_DE BUG environment variable: But no new dependency is added for the latest change.

@v2kiran could you provide information about github action (here is an example https://github.com/Azure/azure-powershell/issues/20720) you are using so that we can reproduce your case, thanks

v2kiran commented 10 months ago

@msJinLei - sure . here is the workflow file:


name: oidc-ps

# Required for OIDC
permissions:
  id-token: write
  contents: read

env:
  ARM_CLIENT_ID:       ${{ secrets.AZURE_CLIENT_ID }}
  ARM_ENVIRONMENT:     public
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  ARM_TENANT_ID:       ${{ secrets.AZURE_TENANT_ID }}
  CLIENT_ID: ${{ secrets.CLIENT_ID }}

on:
  workflow_dispatch:
  push:
    branches:
        - 'main'
        - 'releases/**'
jobs:
  OIDCPSLogin:
    name: Login using PS OIDC
    runs-on: DEV-ACI
    environment:
      name: dev
    steps:
      - uses: actions/checkout@v2

      - name: Login using oidc
        shell: pwsh
        run: |
            $Audience = "api://AzureADTokenExchange"
            $GitToken = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN
            $GitTokenUrl = $env:ACTIONS_ID_TOKEN_REQUEST_URL
            $apiUrl = "{0}&audience={1}" -f $GitTokenUrl, $Audience
            $jwt_tokens = Invoke-RestMethod $apiUrl -Headers @{Authorization = ("bearer {0}" -f $GitToken)}
            Write-Host "GitHub JWT url: $apiUrl"
            Write-Host "GitHub JWT payload:"
            $federatedToken = ($jwt_tokens.Value -split "\.")[1]
            if(($federatedToken.Length % 4) -ne 0) {
              $federatedToken = $federatedToken.PadRight($federatedToken.Length + 4 - ($federatedToken.Length % 4), "=")
            }
            [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($federatedToken)) | convertfrom-json | convertto-json # Pretty print
            Disable-AzContextAutosave -Scope Process
            try
            {
              Connect-azaccount -TenantId ${{ env.ARM_TENANT_ID }} -ApplicationId ${{ env.ARM_CLIENT_ID }} -federatedtoken $GitToken -ServicePrincipal -erroraction stop
            }
            catch{
              get-error -newest 1
              resolve-azerror
              write-verbose "psversiontable"
              $psversiontable | out-string
              write-verbose "az modules"
              get-module az*
            }
      - name: Get secrets - Job__az_oidc_tst__Step-3
        uses: azure/powershell@v1
        with:
          inlineScript: |
            get-azresourcegroup | select -first 1 | out-string
          azPSVersion: "latest"

IsaacCalligeros95 commented 9 months ago

We're experiencing this same issue, are there any updates?

IsaacCalligeros95 commented 5 months ago

Any updates on this? Using Disable-AzContextAutosave is a fairly common practice in CI/CD pipelines. We have a number of customers running into this problem and our only recommendation is to downgrade to earlier versions.

msJinLei commented 5 months ago

Root Cause

In client assertion login flow, when token cache option is set to be in memory, the following condition should be hit. https://github.com/Azure/azure-powershell/blob/a710e74ca88d6733b98affc7cc1f158ea296f9dd/src/Accounts/Authentication/Identity/TokenCache.cs#L90

The object we passed is inherited from Azure.Identity.UnsafeTokenCacheOptions while the type above is Microsoft.Azure.PowerShell.Authenticators.Identity.UnsafeTokenCacheOptions. That's why the condition is not hit.

The reason we create a new UnsafeTokenCacheOptions in the namespace Microsoft.Azure.PowerShell.Authenticators.Identity is because the assignment cannot be executed if the UnsafeTokenCacheOptions is not in the same package with internal class TokenCache https://github.com/Azure/azure-powershell/blob/a710e74ca88d6733b98affc7cc1f158ea296f9dd/src/Accounts/Authentication/Identity/TokenCache.cs#L92 https://github.com/Azure/azure-powershell/blob/a710e74ca88d6733b98affc7cc1f158ea296f9dd/src/Accounts/Authentication/Identity/TokenCache.cs#L93

Solution

Create additional InMemoryTokenCacheOptions class from Microsoft.Azure.PowerShell.Authenticators.Identity.UnsafeTokenCacheOptions for client assertion flow
However additional token cache options class will further complicate the client assertion implementation. The best solution is to drive Azure. Identity to implement ISupportsTokenCachePersistenceOptions for ClientAssertionCredentialOptions so that we can remove all these codes.
Workaround

After PR https://github.com/Azure/azure-powershell/pull/24416 is merged
```
Disable-AzContextAutosave -Scope "Process"
Connect-AzAccount -ServicePrincipal -Tenant $tenantId -ApplicationId $appId -FederatedToken $federatedToken
$token = (Get-AzAccessToken).Token
Disconnect-AzAccount
Connect-AzAccount -AccessToken $token -Tenant $tenantId -AccountId $appId
```
@isra-fel Please take a look

msJinLei commented 1 month ago

The issue will be fixed by https://github.com/Azure/azure-powershell/pull/25733 @YanaXu Could you follow this issue? Thanks

Azure / azure-powershell