search

Azure / draft-classic

A tool for developers to create cloud-native applications on Kubernetes.
https://draft.sh
MIT License
3.92k stars 397 forks source link

Could not retrieve acr build's upload URL #847

Open ghost opened 5 years ago

ghost commented 5 years ago

I got an error when I run draft up with ACR builder. Console logs are like following.

$ az login
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code {xxxxxxx} to authenticate.
[
  {
    "cloudName": "AzureCloud",
    "id": "2fbbc791-6b0d-4d1a-aabf-{aaaaaaaaaaaa}",
    "isDefault": false,
    "name": "\u7121\u6599\u8a66\u7528\u7248",
    "state": "Enabled",
    "tenantId": "2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}",
    "user": {
      "name": "monaka@example.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "e000d296-c414-4552-a6b1-{bbbbbbbbbbbb}",
    "isDefault": true,
    "name": "Microsoft Azure Sponsorship",
    "state": "Enabled",
    "tenantId": "2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}",
    "user": {
      "name": "monaka@example.com",
      "type": "user"
    }
  }
]
$ draft up
Draft Up Started: 'neutrino': 01CKCWE0RXXYQVS0GF4DSWK4FR
neutrino: Building Docker Image: FAIL ❌  (1.0003s)
Inspect the logs with `draft logs 01CKCWE0RXXYQVS0GF4DSWK4FR`
$ draft logs 01CKCWE0RXXYQVS0GF4DSWK4FR
2018/07/27 03:27:38 error while building: Could not retrieve acr build's upload URL: containerregistry.RegistriesClient#GetBuildSourceUploadURL: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationTokenTenant" Message="The access token is from the wrong issuer 'https://sts.windows.net/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}/'. It must match the tenant 'https://sts.windows.net/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you justtransferred your subscription and see this error message, please try back later."
ghost commented 5 years ago 
$ jq '.[] | { "_authority": ._authority }' < /tmp/accessTokens.json
{
  "_authority": "https://login.microsoftonline.com/common"
}
{
  "_authority": "https://login.microsoftonline.com/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}"
}
{
  "_authority": "https://login.microsoftonline.com/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}"
}

It seems Draft picks up wrong authority.

It works well after deleting the object that have "https://login.microsoftonline.com/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}" as _authority.

My account shares my company's subscription. I suspect it is a one of the reason causing this issue.

bacongobbler commented 5 years ago

Just for reference, which account is considered the "default" when running az account list -o table? Using the Azure SDK for Go we are trying to pull the default subscription from the account, but if we're pulling the wrong account info then we should take a closer look.

ghost commented 5 years ago

The result of az account list -o table is.

A few accounts are skipped as they don't have 'Enabled' state. Use '--all' to display them.
Name                         CloudName    SubscriptionId                        State    IsDefault
---------------------------  -----------  ------------------------------------  -------  -----------
Microsoft Azure Sponsorship  AzureCloud   e000d296-c414-4552-a6b1-{bbbbbbbbbbbb}  Enabled  True
ghost commented 5 years ago

Tips: Run echo '[' $(az account get-access-token) ']' > /tmp/accessTokens.json after running az login. Only one access token is overridden and I can run draft up without editing accessTokens.json file.