AADSTS700213: No matching federated identity record found for presented assertion subject

[cmckeen]

Hello,

I'm attempting to run the login action like the following:

      - name: 'Azure CLI login'
        uses: azure/login@v2.1.0
        with:
          client-id: ${{ env.AZURE_CLIENT_ID }}
          tenant-id: ${{ env.AZURE_TENANT_ID }}
          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
          allow-no-subscriptions: ${{ env.AZURE_SUBSCRIPTION_ID == '' }}

This results in the following workflow output:

Run azure/login@v2.1.0
  with:
    client-id: af3110ba-0ba9-4412-b1a0-59f50b7e9273
    tenant-id: 4ecd6548-e33b-4b9d-9986-bd3c229846c6
    subscription-id: 868ab87f-fc57-46b2-8815-9b80a74b8922
    allow-no-subscriptions: false
    enable-AzPSSession: false
    environment: azurecloud
    audience: api://AzureADTokenExchange
    auth-type: SERVICE_PRINCIPAL

    TF_VERSION: 1.7.2
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/5c8890e9-be42-448a-b592-0c145970d127
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Federated token details:
 issuer - https://token.actions.githubusercontent.com
 subject claim - repo:meltwater/meltwater-chatbot:environment:dev
Attempting Azure CLI login by using OIDC...
Error: AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:meltwater/meltwater-chatbot:environment:dev'. Please note that the matching is done using a case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: 41fb5824-9328-45a0-80cb-93bb24642400 Correlation ID: 865b8b30-d5bc-4fb4-baeb-0d71a3745774 Timestamp: 2024-09-03 19:34:44Z

Error: Interactive authentication is needed. Please run:
az login

Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.

I've confirmed that the client-id, tenant-id, and subscription-id are all correct. The client-id corresponds with this managed identity's federated credential:

From what I can tell, the requested assertion subject repo:meltwater/meltwater-chatbot:environment:dev is present in the federated credential, so I'm not sure why it is not being recognized. Any assistance would be greatly appreciated!

[YanaXu]

Hi @cmckeen , the federated credencial page looks fine. Could you also share the screenshot of managed identity metadata? I want to check if you're using the right subscritpion id, tenant id and user managed identity client id.

[cmckeen]

Sure, I believe this is what you're looking for below. One thing you'll notice is that the subscription ID is different from what is being passed into the login action. The reason for this is that the managed identity has an Azure role assignment of Owner on the subscription_id that we're specifying (the one we're desiring to interact with), but the identity itself does not belong to that subscription. I'm wondering now if that's correct and we should instead be specifying the subscription_id of the identity itself.

[YanaXu]

Hi @cmckeen,

I can't tell where is wrong in the configuration. What I can see from above:

• "client-id: af3110ba-0ba9-4412-b1a0-59f50b7e9273" is the client id of the user assigned managed identity. It's correct.
• "subscription-id: 868ab87f-fc57-46b2-8815-9b80a74b8922" is different from the subscription id the user assigned managed identity belongs to but it's OK if the user assigned managed identity has the reader permission on it.
• The federated credential page is correct. And your script part to use it is also correct.

Could you double confirm if

• the tenant id is correct
• the user assigned managed identity has the reader permission on "subscription-id: 868ab87f-fc57-46b2-8815-9b80a74b8922"
• there is no copy-paste error in the yml file.

[cmckeen]

tenant-id: 4ecd6548-e33b-4b9d-9986-bd3c229846c6 matches configuration (I did have a copy/paste error that I found in my originally posted output - I've corrected this in my edit and confirmed in the original workflow that this does indeed match the tenant-id).

Confirmed that the managed identity has the Contributor permission on that subscription-id.

I am closing this issue out though - the user that I'm working with found an alternative pipeline that is working that I don't know the details of and does not wish to continue troubleshooting here. Thanks for your help!

[CodePhys]

I'm havving a lot of issues deploying my test Api to azurre using continuos deployment it can not login to azurre correctly even anyone could help me? thanks

[YanaXu]

Hi @CodePhys , Please search the similar issues in this repo (including the closed issues). I think it's because the federated credential configuration or GitHub environment is not correct or does not match. If you can't find the reason, please create a new issue with all screenshots like this issue. Please note: this issue is closed and we may miss the new comments in closed issues.