Bicep authentication issue on long running Azure operations.

[dozer75]

Bicep version VS Code bicep: v0.21.1

Describe the bug Some resources on Azure takes a LONG time to finish, e.g. setting up API management in Sweden Central (1h 15m, I tried it twice with the same result). This causes Bicep access token to time out during the process and stop working which again causes our automatic deployments to fail.

Sure, you could say that this is an issue in Azure and that resources should not take that long time to deploy, but it is even warned in the API Management documentation that the operation takes a long time, and you will never know since this is out of our control.

My suggestion is that the Bicep CLI should try to refresh the access token either before the expiresIn value or when an authentication error occur.

To Reproduce Steps to reproduce the behavior: Execute a Bicep operation that takes a long time to finish (e.g. API management in swedencentral)

Here is an example script that caused the issue in swedencentral:

@description('The workload this deployment belongs to.')
param workload string
@description('The environment for this workload.')
param environment string
@description('The location where this workload should run.')
param location string

var name = toLower('apim-${workload}-${environment}-${location}-${uniqueString(resourceGroup().id)}')

resource apim 'Microsoft.ApiManagement/service@2022-08-01' = {
  name: name
  location: location
  sku:{
    name: 'Developer'
    capacity: 1
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties:{
    publisherEmail: 'info@someplace.com'
    publisherName: 'API Owner'    
  }
}

Additional context Bicep output in Visual Studio Code

5:04:06 PM: Preparing for deployment of <Path>\main.bicep
5:04:06 PM: Scope specified in main.bicep -> subscription
5:04:14 PM: JSON Parameter file used in deployment -> <Path>\main.parameters.json
5:04:15 PM: JSON Parameter file used in deployment -> <Path>\main.parameters.json
5:04:21 PM: Deployment started for <Path>\main.bicep.
5:04:21 PM: View deployment in portal: https://portal.azure.com/#blade/HubsExtension/DeploymentDetailsBlade/overview/id/%2Fsubscriptions%2<subscriptionid>%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2FAPISC-230919-1509.
5:23:09 PM: Deployment failed for <Path>\main.bicep. The access token expiry UTC time '9/19/2023 3:23:07 PM' is earlier than current UTC time '9/19/2023 3:23:09 PM'.
Status: 401 (Unauthorized)
ErrorCode: ExpiredAuthenticationToken

Content:
{"error":{"code":"ExpiredAuthenticationToken","message":"The access token expiry UTC time '9/19/2023 3:23:07 PM' is earlier than current UTC time '9/19/2023 3:23:09 PM'."}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/<GUID>", error="invalid_token", error_description="The access token has expired."
x-ms-failure-cause: REDACTED
x-ms-request-id: ed64d63b-8e5a-447c-a3bb-18d5027792d5
x-ms-correlation-request-id: ed64d63b-8e5a-447c-a3bb-18d5027792d5
x-ms-routing-request-id: SWEDENCENTRAL:20230919T152309Z:ed64d63b-8e5a-447c-a3bb-18d5027792d5
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
Date: Tue, 19 Sep 2023 15:23:08 GMT
Connection: close
Content-Type: application/json; charset=utf-8
Expires: -1
Content-Length: 172

[majastrz]

@StephenWeatherford can you take a look at this and see if there's a bug in the SDK we're using? It seems like @dozer75 is using the right-click deploy experience based on the logs.

[StephenWeatherford]

Yeah, I don't think refreshing the token has been implemented. Although we haven't really tried to optimize the Azure deployment monitoring code at all, we're not really intending it to be a robust experience at the moment, which is why we output the link to the portal:

5:04:21 PM: View deployment in portal: https://portal.azure.com/#blade/HubsExtension/DeploymentDetailsBlade/overview/id/%2Fsubscriptions%2<subscriptionid>%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2FAPISC-230919-1509.

So that becomes the obvious work-around until we get time to implement refreshing tokens.

[majastrz]

@StephenWeatherford how much work is it to add token expiration here?

[puicchan]

Bringing back to triage to discuss priority since Stephen doesn't have time to investigate and we have been pushing this sprint to sprint.

[joeferreirapremera]

The Bicep Deployment Pane seems to be impacted by this. I am running some pretty long vmss customscriptextension and it will timeout.