search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.42k stars 2.59k forks source link

[BUG]: Azure CLI requires read permissions on subscription #18757

Open yene opened 11 months ago

yene commented 11 months ago

Task name

Azure CLI

Task version

2.217.1

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu 20.04

Task log

2023-08-02T07:40:26.1183064Z ##[section]Starting: Run Script
2023-08-02T07:40:26.1188038Z ==============================================================================
2023-08-02T07:40:26.1188191Z Task         : Azure CLI
2023-08-02T07:40:26.1188257Z Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
2023-08-02T07:40:26.1188467Z Version      : 2.225.0
2023-08-02T07:40:26.1188533Z Author       : Microsoft Corporation
2023-08-02T07:40:26.1188608Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
2023-08-02T07:40:26.1188719Z ==============================================================================
2023-08-02T07:40:26.4395481Z [command]/usr/bin/az --version
2023-08-02T07:40:27.8622287Z WARNING: You have 3 update(s) available. Consider updating your CLI installation with 'az upgrade'
2023-08-02T07:40:27.8622655Z azure-cli                         2.50.0 *
2023-08-02T07:40:27.8623286Z 
2023-08-02T07:40:27.8623644Z core                              2.50.0 *
2023-08-02T07:40:27.8623783Z telemetry                          1.0.8 *
2023-08-02T07:40:27.8623870Z 
2023-08-02T07:40:27.8623981Z Extensions:
2023-08-02T07:40:27.8624199Z azure-devops                      0.26.0
2023-08-02T07:40:27.8624264Z 
2023-08-02T07:40:27.8624389Z Dependencies:
2023-08-02T07:40:27.8624517Z msal                              1.22.0
2023-08-02T07:40:27.8624720Z azure-mgmt-resource             23.1.0b2
2023-08-02T07:40:27.8624790Z 
2023-08-02T07:40:27.8624984Z Python location '/opt/az/bin/python3'
2023-08-02T07:40:27.8625211Z Extensions directory '/opt/az/azcliextensions'
2023-08-02T07:40:27.8625306Z 
2023-08-02T07:40:27.8625492Z Python (Linux) 3.10.10 (main, Jun 29 2023, 11:09:14) [GCC 11.3.0]
2023-08-02T07:40:27.8625613Z 
2023-08-02T07:40:27.8625752Z Legal docs and information: aka.ms/AzureCliLegal
2023-08-02T07:40:27.8625834Z 
2023-08-02T07:40:27.8625889Z 
2023-08-02T07:40:27.8628052Z Setting AZURE_CONFIG_DIR env variable to: /home/vsts/work/_temp/.azclitask
2023-08-02T07:40:27.8629618Z Setting active cloud to: AzureCloud
2023-08-02T07:40:27.8639351Z [command]/usr/bin/az cloud set -n AzureCloud
2023-08-02T07:40:30.6854779Z [command]/usr/bin/az login --service-principal -u *** --password=*** --tenant TENANT_ID --allow-no-subscriptions
2023-08-02T07:40:31.7275842Z [
2023-08-02T07:40:31.7276443Z   {
2023-08-02T07:40:31.7277574Z     "cloudName": "AzureCloud",
2023-08-02T07:40:31.7278332Z     "id": "TENANT_ID",
2023-08-02T07:40:31.7278666Z     "isDefault": true,
2023-08-02T07:40:31.7279091Z     "name": "N/A(tenant level account)",
2023-08-02T07:40:31.7280637Z     "state": "Enabled",
2023-08-02T07:40:31.7281157Z     "tenantId": "TENANT_ID",
2023-08-02T07:40:31.7281561Z     "user": {
2023-08-02T07:40:31.7282153Z       "name": "***",
2023-08-02T07:40:31.7282471Z       "type": "servicePrincipal"
2023-08-02T07:40:31.7282871Z     }
2023-08-02T07:40:31.7285351Z   }
2023-08-02T07:40:31.7285732Z ]
2023-08-02T07:40:31.7344618Z [command]/usr/bin/az account set --subscription SUBSCRIPTION_ID
2023-08-02T07:40:32.4064917Z ERROR: The subscription of 'SUBSCRIPTION_ID' doesn't exist in cloud 'AzureCloud'.
2023-08-02T07:40:32.4100165Z ##[error]Error Code: [1]
2023-08-02T07:40:32.4113117Z ##[error]Error: Error in setting up subscription
2023-08-02T07:40:32.4114207Z ##[error]Script failed with error: ERROR: The subscription of 'SUBSCRIPTION_ID' doesn't exist in cloud 'AzureCloud'.

2023-08-02T07:40:32.4117759Z [command]/usr/bin/az account clear
2023-08-02T07:40:33.0796839Z ##[section]Finishing: Run Script

Relevant log output

2023-08-02T07:40:32.4114207Z ##[error]Script failed with error: ERROR: The subscription of 'SUBSCRIPTION_ID' doesn't exist in cloud 'AzureCloud'.

Aditional info

Because the task runs az account set --subscription it requires read permission on subscription.

Why does the task require permission on the subscription? The task does login with --allow-no-subscriptions so I am confused.

hbuckle commented 8 months ago

Azure PowerShell task is the same.

Now that workload identity federation is a thing there is a much bigger use case for service principals with no access to Azure resources, but instead just being used to get tokens for Azure DevOps/Kubernetes/etc.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

hbuckle commented 2 months ago

Not stale