Azure / login

Connect to Azure
MIT License
319 stars 297 forks source link

Continuous Deploy of Container App suddenly fails after ownership transfer. #200

Closed timschonborn closed 2 years ago

timschonborn commented 2 years ago

(I posted this to azure/aci but was asked to reopen the issue here)

For some reason the 'deploy' step of the CI workflow keeps failing with the following error:

Run azure/login@v1
  with:
    creds: ***
    enable-AzPSSession: false
    environment: azurecloud
    allow-no-subscriptions: false
    audience: api://AzureADTokenExchange
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Error: : No subscriptions found for ***.

Error: Az CLI Login failed. Please check the credentials. For more information refer aka.ms/create-secrets-for-GitHub-workflows

The workflow.yml has automatically been created after enabling CI in the Azure Container Apps page. I have registered the application in AAD and added a secret to the CI. I can see that the secrets.AZURE_CREDENTIALS value is also updated together with the workflow (and the registry credentials) in the GitHub Secrets page. The App registration has the "Cloud application administrator" role. I've deleted and recreated the Container App & AAD registration multiple times without luck.

The only thing that comes to my mind is that 2 days ago ownership of the subscription was transferred to me, not sure if that could be causing any problems?

I've configured these workflows for a few GitHub repositories, including this repository without any issues so I'm really not sure what's going on. Maybe it's just me messing up somewhere in the process, please let me know if you have any ideas about what I could be doing wrong this time. Thanks!

Edit: I tried running the workflow with the allow-no-subscriptions: true setting, however, now the deployment fails a few steps later: ERROR: cli.azure.cli.core.azclierror: The containerapp 'actions-test-app' does not exist (created a new test Container App). While the app does exist?!

AjayKaleMS commented 2 years ago

HI @tjschonborn - As the error is seen for Azure Login failure, we would suggest you to refer below points to solve the issue:

  1. Please refer this documentation for using azure/login action

  2. Please make sure you are using below az cli command to generate as the value of secret variable and use it in your workflow az ad sp create-for-rbac --name "<any_name>" --sdk-auth --role contributor --scopes /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>

  3. Please make sure that the App registration has the "Contributor" role.

Please let us know if it resolves the issue or any more information you need.

Thanks

timschonborn commented 2 years ago

Hey @AjayKaleMS, thanks for getting back to me!

I ended up fixing the issue after completely deleting all app registrations and container apps and setting everything up from scratch. I did everything exactly the same as the last 10 times that didn't work so I'm still suspecting that maybe the ownership transfer resulted in some problem?

I just wanted to communicate again that the AutoDeployTrigger-xyz.yml file that contains the login action wasn't created by me but is automatically created and pushed to GitHub via the Azure Portal. Same for the secrets on GitHub, so I think it's unlikely that I messed up something there. For the App registration, I just followed an official MSFT tutorial post, and after comparing the functioning registration with the ones I had previously I fail to see any difference.

Anyways, might be something to look into if other users are experiencing similar problems. Thanks!

danielpcampagna commented 1 year ago

So, is this issue solved by deleting and setting everything up from scratch? I'm experiencing this same problem. My client secret had expired, then I created a new one (not by cli, but by the portal) and updated my GH secret variables. However, I've got the error:

image