Unable to fetch registration token for existing host pool to join session hosts

[Preethi-CS]

Bicep Code

resource hPool 'Microsoft.DesktopVirtualization/hostPools@2021-07-12' existing = {
  name: hostPoolName
}

output token string = hPool.properties.registrationInfo.token

Affected Resource Microsoft.DesktopVirtualization/hostPools@2021-07-12

Expected Behaviour The value of hPool.properties.registrationinfo.token should be a valid registration token.

Actual Behaviour New-AzResourceGroupDeployment : 1:00:13 PM - The deployment 'test' failed with error(s). Showing 1 out of 1 error(s). Status Message: The template output 'token' is not valid: The language expression property 'token' can't be evaluated.. (Code:DeploymentOutputEvaluationFailed) CorrelationId: 458cdda3-72f6-4200-8023-ddf21a786c4b At line:1 char:1

• New-AzResourceGroupDeployment -ResourceGroupName vmrg -TemplateFile . ...

• 
  + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
  + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

Steps to reproduce New-AzResourceGroupDeployment -ResourceGroupName <> -TemplateFile main.bicep The token is no longer accessible. Without the token, we can't add hosts to the host pool.

[alex-frankel]

A couple of things going on here, I'm guessing because the value of token is a secret.

• Because token has a value of null, but the output type is string, you get a type mismatch and the deployment fails. I'm not sure I know a way around this, other than to emit the entire parent object (output registrationInfo object = hPool.properties). If this token is a secret, we'd recommend the property be marked as write-only in the RP API spec and the property should not be returned in the response at all. The current behavior may be an ARM RPC violation.
• If token is a secret, it should be exposed with a list* post API. Something like listToken, which would be a safe way to retrieve the secret (including with bicep where you could do hPool.listToken()).

I can pass this along to the relevant RP team, but I would also recommend opening a support case for this issue and for it to be routed to the team that manages this resource type.

[Preethi-CS]

I already logged a case with support. They're the ones to suggest raising it as an issue in GitHub.

On Wed, 2 Mar 2022, 10:54 am Alex Frankel, @.***> wrote:

A couple of things going on here, I'm guessing because the value of token is a secret.

• Because token has a value of null, but the output type is string, you get a type mismatch and the deployment fails. I'm not sure I know a way around this, other than to emit the entire parent object (output registrationInfo object = hPool.properties). If this token is a secret, we'd recommend the property be marked as write-only in the RP API spec and the property should not be returned in the response at all. The current behavior may be an ARM RPC violation.
• If token is a secret, it should be exposed with a list* post API. Something like listToken, which would be a safe way to retrieve the secret (including with bicep https://docs.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-resource#list where you could do hPool.listToken()).

I can pass this along to the relevant RP team, but I would also recommend opening a support case for this issue and for it to be routed to the team that manages this resource type.

— Reply to this email directly, view it on GitHub https://github.com/Azure/bicep-types-az/issues/2023, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQUDDXSS2KKCXAB3LV7RRNTU52U3ZANCNFSM5PVJY5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

[alex-frankel]

Feel free to recommend to them they get in touch with me at alfran@microsoft.com if they need more context. It is not possible for this to be fixed at the bicep level. It is entirely an issue with the resource provider.

[Preethi-CS]

Done.

By the way, output token object = hpool.properties returns registrationinfo:null.

On Wed, 2 Mar 2022, 11:12 am Alex Frankel, @.***> wrote:

Feel free to recommend to them they get in touch with me at @.*** if they need more context. It is not possible for this to be fixed at the bicep level. It is entirely an issue with the resource provider.

— Reply to this email directly, view it on GitHub https://github.com/Azure/bicep-types-az/issues/2023, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQUDDXQXR4SAFG5PNU6N26TU52XAJANCNFSM5PVJY5TQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

[rbnmk]

@Preethi-CS

Did you get any response about this? This used to work like a charm but is now broken unfortunately..

[prestond123]

This was working for me too for a long time (months) - last success was as recent as 2nd Nov 22 - but has stopped working really recently, as when i ran this on 8th Nov and today 10th Nov it now returns: registrationinfo:null

I cant see any changes to the docs to indicate this has been removed from the resource response.

How should I go about raising a ticket for this. Who's the responsible team/owners. Thanks.

[alex-frankel]

The responsible team is the DesktopVirtualization/hostPools resource provider team. You should be able to provide that detail in the support case and support should then be able to route it to the right spot.

[prestond123]

The responsible team is the DesktopVirtualization/hostPools resource provider team. You should be able to provide that detail in the support case and support should then be able to route it to the right spot.

Alex appreciate this - thanks for the speedy response. I have forwarded details in our support ticket.

As a workaround - I have added a bicep template module that queries the hostpool registration key, using powershell (Get-AzWvdHostPoolRegistrationToken) in a Microsoft.Resources/deploymentScripts, which it returns as an output. Ref: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep

[bendiksygnestveit]

@prestond123

Thanks for this thread and information on workaround, saved me a lot of time. Any chance you could post a sample of the deploymentscript you ran? A bit new to this and struggling to get the correct configuration.

[prestond123]

Hi - I was using:

Microsoft.DesktopVirtualization/hostPools@2021-07-12

And this was working fine - From before June - until end of November, but now no longer works.

Ms support suggested using the older Microsoft.DesktopVirtualization/hostPools@2021-01-14-preview as their validation tests shows this as working.

I'm not sure why a newer "non-preview" version of the API would stop working - or if it is advisable to change to an older API version, and/or use a preview version, but this older preview version does still work.

@bendiksygnestveit try this first too.

[shenglol]

...and the support ticket eventually got transferred to our team 😅. I ran a quick test with Azure REST API browser. It turns out that the RP's PUT response schema doesn't match their GET response schema. In the PUT response, registrationInfo is always an object, while in the GET response, it is null.

PUT response:

GET response:

The reason why the output stopped working in early November is because we changed the emitter to always add API versions to resource references, so that each reference uses the response from a GET call instead of PUT request.

The RP will have to fix their service so that GET response schema is consistent with PUT response schema. I'll transfer the support ticket back the RP.

[shenglol]

Had an offline discussion with the RP and learned that the registrationToken property is a secret, which means it should not be accessed directly anyway. The recommended way to access a secret property is to use the list* function. The RP does expose a POST method retrieveRegistrationToken for getting registrationToken, but since the method name doesn't start with list, it won't work with Bicep / ARM templates. To fix the issue the RP will need to:

• Mark the registrationToken as secret in Swagger to block direct access to the registrationToken property
• Expose a new listRegistrationToken API so that we can call hostpools.listRegistrationToken() in Bicep to access the property.

[prestond123]

Having the token accessed via list* would be great. I originally had a template to build the host pool, workspace, application group etc. - but wasn't comfortable passing the token out as an output as this is "more" visible in the Azure UI - I ended up moving the host pool resources backup to the parent template to avoid this, where I could pass to a VM template as a secret.

What sort of release timespan would we expect for this change, understanding this is with RP, but is security related?

[alex-frankel]

The DesktopVirtualization team will need to comment on timelines for the list* API. In the meantime, you should be able to do a non-idiomatic (and not advised) reference() call in bicep like so:

resource hPool 'Microsoft.DesktopVirtualization/hostPools@2021-07-12' existing = {
  name: hostPoolName
}

output token string = reference(hPool.id).registrationInfo.token

[bfrankMS]

+1 for the list* function thanks for the workaround - it worked for me.

[tw3lveparsecs]

workaround works for me but i had to specify the api version of 2021-01-14-preview. Any other api version seemed to fail.

output token string = reference(hPool.id, '2021-01-14-preview').registrationInfo.token

[nintendoMan]

Hi guys,

It seems to be atm so that NO possibility to get the token with BICEP and get sessionhost attached to the hostpool? At least I am not able to get this to be working.

If you have solution, please share, appriciate it!

---

Me

[bfrankMS]

this did it once for me: https://github.com/bfrankMS/AVD-PoC-InfraAsCode/blob/hostpoolnew/pipelines/hostpool/modules/hostpool.bicep https://github.com/bfrankMS/AVD-PoC-InfraAsCode/blob/hostpoolnew/pipelines/hostpool/avdcomplete.bicep

[nintendoMan]

@bfrankMS I got it work but do not understand what doing wrong. I will do some investigations comparing your code to mine!

Thanks Frank for sharing to me your solution!

[TiTi]

For some reason, moving the parameter from protectedSettings to settings worked! (as @bfrankMS did, plus using version 2021-02-01-preview )

[t-leblanc]

Had an offline discussion with the RP and learned that the registrationToken property is a secret, which means it should not be accessed directly anyway. The recommended way to access a secret property is to use the list* function. The RP does expose a POST method retrieveRegistrationToken for getting registrationToken, but since the method name doesn't start with list, it won't work with Bicep / ARM templates. To fix the issue the RP will need to:

• Mark the registrationToken as secret in Swagger to block direct access to the registrationToken property
• Expose a new listRegistrationToken API so that we can call hostpools.listRegistrationToken() in Bicep to access the property.

This

workaround works for me but i had to specify the api version of 2021-01-14-preview. Any other api version seemed to fail.

output token string = reference(hPool.id, '2021-01-14-preview').registrationInfo.token

This (now?) also works with more recent api versions.

Working solution:

resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2023-11-01-preview' { } output token string = reference(hostPool.id).registrationInfo.token

[Siegfried0]

this fix was working for more than a year for me... now I am getting 'The template output 'registrationToken' is not valid: The language expression property 'token' can't be evaluated.'

Is there a new fix for this? And is there a recommended method by microsoft for this? I think MS should commit to a supported method and stick to it at least within the api version. What's currently documented and/or working with api version X is not warranted to still work with version X tomorrow. (Or did I miss some kind of warning messages?)

[t-leblanc]

this fix was working for more than a year for me... now I am getting 'The template output 'registrationToken' is not valid: The language expression property 'token' can't be evaluated.'

Is there a new fix for this? And is there a recommended method by microsoft for this? I think MS should commit to a supported method and stick to it at least within the api version. What's currently documented and/or working with api version X is not warranted to still work with version X tomorrow. (Or did I miss some kind of warning messages?)

Since today I was facing the same problem. I think Microsoft did indeed change something. After some searching I was able to work around this by using the example for fetching the token as per described in the templates of @bfrankMS

But again worth to note this also works with more recent versions of the api.

[Boojapho]

I'm also seeing this issue now. I had been using reference(hostPool.id, '2021-01-14-preview').registrationInfo.token for several months without issues. Now it does not work. I've tried updating the api version, but it is still failing.

The only workaround that I can find is to pass the token as an output when the host pool is created. Then provide that as a parameter. Using existing just doesn't work.

[shenglol]

It appears that the RP has implemented our suggestion to remove registrationInfo.token from the GET response body, as seen in their recent Swagger RP: https://github.com/Azure/azure-rest-api-specs/pull/29676/files. While this change is breaking, it enhances security by eliminating the risk associated with exposing secret values in GET responses.

With this update, you can now retrieve the token using a function call in Bicep as follows:

var secret = hPool.listRegistrationTokens()[0]

Code IntelliSense for this function will be available in the next Bicep release once the az type package is updated to include the RP's Swagger update.

[JakobOchsenfeld]

Hey, as i apply this method i still get issues regarding the vm registration to the hostpool. Token is fine, logs are fine, api updated, but no hostpool registration.

I'm able to do the registration manually after the DSC has complete via: https://xenithit.blogspot.com/2021/04/reassign-wvd-personal-session-host.html

[slavizh]

@shenglol I wish that the RP team would had some time to do migration and notifying us instead of just cutting it off one day. I would assume we can use the function currently within Bicep and the only thing that is not implemented is intellisense, correct? Meaning would compiling Bicep to ARM work and will it be deployable to public Azure?

[picccard]

It appears that the RP has implemented our suggestion to remove registrationInfo.token from the GET response body, as seen in their recent Swagger RP: https://github.com/Azure/azure-rest-api-specs/pull/29676/files. While this change is breaking, it enhances security by eliminating the risk associated with exposing secret values in GET responses.

With this update, you can now retrieve the token using a function call in Bicep as follows:

var secret = hPool.listRegistrationTokens()[0]

Code IntelliSense for this function will be available in the next Bicep release once the az type package is updated to include the RP's Swagger update.

To expand on @shenglol comment: The function listRegistrationTokens() returns a list of objects with a token and the expirationTime:

[
  {
    "expirationTime": "2024-08-13T00:00:00Z",
    "token": "eyJh[REDACTED].eyJS[REDACTED].Kii[REDACTED]"
  }
]

Here is some usage with it:

output tokenList array = hostPool.listRegistrationTokens()
output tokenObj object = hostPool.listRegistrationTokens()[0]
output token string = first(hostPool.listRegistrationTokens()).token

[slavizh]

confirming that you do not need Bicep CLI update to work.

[mspretke]

var registrationToken = hPool.listRegistrationTokens()[0].token

This ended up working for me

[PoLongPL]

Hi, I updated the registrationInfo.token to listRegistrationTokens()[0] on the ARM template, but encountered an error on the BootLoader

The error message is : BootLoader exception:System.AggregateException: One or more errors occurred. ---> System.ArgumentException: IDX12729: Unable to decode the header 'PII of type 'System.String' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string. ---> System.Text.Json.JsonReaderException: 'K' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.

Has anyone experienced this error before? Thank you.

[jagiraud]

It seems like the output from listRegistrationTokens() changed, resulting in breaking the fix from two weeks ago.

var registrationToken = hPool.listRegistrationTokens()[0].token

This ended up working for me

This is the way: var registrationToken = first(hostpool.listRegistrationTokens().value).token

[HRading]

It seems like the output from listRegistrationTokens() changed, resulting in breaking the fix from two weeks ago.

var registrationToken = hPool.listRegistrationTokens()[0].token This ended up working for me

This is the way: var registrationToken = first(hostpool.listRegistrationTokens().value).token

And for those still using ARM: "registrationInfoToken": "[listRegistrationTokens(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('hostpoolResourceId'), '/')[2], split(parameters('hostpoolResourceId'), '/')[4]), 'Microsoft.DesktopVirtualization/hostPools', split(parameters('hostpoolResourceId'), '/')[8]), '2021-07-12').value[0].token]"