forced az login even when authenticated

[Xander-Rudolph]

Description

when using the ./helpers/GenerateResourcesAndImage.ps1, even when already authenticated, a login is forced if an identity is already provided.

https://github.com/actions/runner-images/blob/main/helpers/GenerateResourcesAndImage.ps1#L243

        # Login to Azure subscription
        if ([string]::IsNullOrEmpty($AzureClientId)) {
            Write-Verbose "No AzureClientId was provided, will use interactive login."
            az login --output none
        }
        else {
            Write-Verbose "AzureClientId was provided, will use service principal login."
            az login --service-principal --username $AzureClientId --password=$AzureClientSecret --tenant $AzureTenantId --output none
        }
        az account set --subscription $SubscriptionId
        if ($LastExitCode -ne 0) {
            throw "Failed to login to Azure subscription '$SubscriptionId'."
        }

Platforms affected

• [ ] Azure DevOps
• [ ] GitHub Actions - Standard Runners
• [ ] GitHub Actions - Larger Runners

Runner images affected

• [ ] Ubuntu 20.04
• [ ] Ubuntu 22.04
• [ ] Ubuntu 24.04
• [ ] macOS 12
• [ ] macOS 13
• [ ] macOS 13 Arm64
• [ ] macOS 14
• [ ] macOS 14 Arm64
• [ ] Windows Server 2019
• [ ] Windows Server 2022

Image version and build link

this issue doesn't effect runners, only runner provisioners

Is it regression?

no

Expected behavior

when running the image create script, if already logged in, the current profile should be used

Actual behavior

when logged in, az login should be skipped

Repro steps

first login az login Then

Import-Module ./runner-images/helpers/GenerateResourcesAndImage.ps1
GenerateResourcesAndImage -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -ReuseResourceGroup -ImageGenerationRepositoryRoot ./runner-images -ImageType $IMAGETYPE -AzureLocation $REGION -Tag @{source='https://github.com/actions/runner-images'}

and an auth prompt will be shown

suggested workaround (i've already tested this locally and with my pipelines and it works):

        # Login to Azure subscription
        try {
            $azAccount = az account show -o none
            Write-Warning "Already logged in..."
        }
        catch {
            if ([string]::IsNullOrEmpty($env:AzureClientId)) {
                Write-Verbose "No AzureClientId was provided, will use interactive login."
                az login --output none
            }
            else {
                Write-Verbose "AzureClientId was provided, will use service principal login."
                az login --service-principal --username $AzureClientId --password=$AzureClientSecret --tenant $AzureTenantId --output none
            }
        }

[RaviAkshintala]

@Xander-Rudolph Thank you for bringing this issue to us. We are looking into this issue and will update you on this issue after investigating.