search

microsoft / AL-Go

The plug-and-play DevOps solution for Business Central app development on GitHub
MIT License
273 stars 114 forks source link

[Bug]: ClientId not respected in favor of federated token #1147

Closed stoilovkr closed 1 month ago

stoilovkr commented 1 month ago

Question

When running CI/CD action, on step Sign I get the following error:

Error: Unexpected error when running action. Error Message: Error trying to authenticate to Azure. Error was ClientAssertionCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details.
You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS70025: Client application has no configured federated identity credentials. Trace ID: 555ff0ff-100c-42ef-ba64-0d7cbfd30200 Correlation ID: 6b418053-641b-4b39-afa8-e31ab105e1d1 Timestamp: 2024-07-17 10:50:18Z Could not find tenant id for provided tenant domain ''. , 
StackTrace: at ConnectAz, 
D:\a\_actions\microsoft\AL-Go\5eeeec54ab7e6a9d97701effe420ef74bda08c67\Actions\AL-Go-Helper.ps1: line 2444 <- at <ScriptBlock>, 
D:\a\_actions\microsoft\AL-Go\5eeeec54ab7e6a9d97701effe420ef74bda08c67\Actions\Sign\Sign.ps1: line 59 <- at <ScriptBlock>, 
D:\a\_temp\cad1683b-a56b-42c7-984b-4da92cc666e9.ps1: line 4 <- at <ScriptBlock>, <No file>: line 1

I have a Github secret in the following format: AUTHCONTEXT: {"keyVaultName":"REDACTED","clientId":"REDACTED","clientSecret":"REDACTED","tenantId":REDACTED"}

What am I missing here to make the action use app registration with client secret instead of managed identity with federated token? I am using preview version of AL-Go.

stoilovkr commented 1 month ago

It may be a bug because when reverted to main version of Al-Go, Sign step passed successfully with no secrets change.

freddydk commented 1 month ago

I assume that the GitHub secret you mention is AZURE_CREDENTIALS and not AUTHCONTEXT - right? Yes, this is a bug in preview

stoilovkr commented 1 month ago

I assume that the GitHub secret you mention is AZURE_CREDENTIALS and not AUTHCONTEXT - right? Yes, this is a bug in preview

It was working with the AZURE_CREDENTIALS secret, but then when it started failing, I inspected the source code, and it seemed like it's pulling the data from AUTHCONTEXT secret, so I copied the same value in that secret too, but it was failing again.

stoilovkr commented 1 month ago

I assume that the GitHub secret you mention is AZURE_CREDENTIALS and not AUTHCONTEXT - right? Yes, this is a bug in preview

It was working with the AZURE_CREDENTIALS secret, but then when it started failing, I inspected the source code, and it seemed like it's pulling the data from AUTHCONTEXT secret, so I copied the same value in that secret too, but it was failing again.

Sorry I inspected the documentation here where it says that the secret should be AUTHCONTEXT. So, you might need to update the documentation to say AZURE_CREDENTIALS if it's wrong.

freddydk commented 1 month ago

Will fix the documentation on that (copy/paste error) - this is under the section called Azure_Credentials -> Connect to Azure

AuthContext is used for deployments only.

freddydk commented 1 month ago

Shipped in preview