Azure / cli

Automate your GitHub workflows using Azure CLI scripts
MIT License
133 stars 54 forks source link

Authorization not coming through from az/login #173

Open fwestling-ark opened 2 weeks ago

fwestling-ark commented 2 weeks ago

I have the following workflow:

jobs:
    fetch-secrets:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4
              with:
                  submodules: true

            - name: Azure Login
              uses: azure/login@v2
              with:
                  creds: ${{ secrets.AZURE_CREDENTIALS }}

            - name: Fetch Secrets from Key Vault
              uses: azure/CLI@v2
              with:
                  inlineScript: |
                      IFS=',' read -r -a secret_names <<< "${{ inputs.kv-secrets }}"
                      IFS=',' read -r -a env_var_names <<< "${{ inputs.env-vars }}"
                      for i in "${!secret_names[@]}"; do
                        secret_name=${secret_names[$i]}
                        env_var_name=${env_var_names[$i]}
                        secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault-name }}" --query value -o tsv)
                        echo "$env_var_name=$secret_value" >> $GITHUB_ENV
                      done

az/login succeeds with the message "Azure CLI login succeeds by using service principal with secret", and the service principal I have set up has the Key Vault Secrets User role in the key vault I'm targeting (and has had it for more than 48 hours). However, I get a "Caller is not authorized" response from the CLI (see below). Is it possible the CLI is not pulling in the authentication from the az/login action?

Image

MoChilia commented 2 weeks ago

Please verify if the app you logged in has the "Key Vault Secrets User" permission. The screenshot you provided shows "Assignment: (not found)". You can check the role assignment by running the following command:

az role assignment list --assignee <Your-app-id> --scope "/subscriptions/<Your-sub-id>/resourceGroups/<Your-rg-name>/providers/Microsoft.KeyVault/vaults/<Your-kv-name>
fwestling-ark commented 6 days ago

It does have that permission, as I mentioned in the original post; that's why I'm wondering if it's failing to bring something through from the login action.

MoChilia commented 6 days ago

@fwestling-ark, you can run az account show in azure/cli action to check if you are using the right account.