Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't az login with service principal certificate

See original GitHub issue

Describe the bug

Command Name az login

Errors:

In short, the az login does not work here because there is an exception with a requirement to execute az login. (Cat bites its tail, figurally said).

Here is the excerpt from the debug log.

az_command_data_logger : exit code: 1
Suppress exception:
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 60, in <module>
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 53, in <module>
    sys.exit(exit_code)
SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 493, in get_current_account_user
    active_account = self.get_subscription()
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 502, in get_subscription
    raise CLIError(_AZ_LOGIN_MESSAGE)
knack.util.CLIError: Please run 'az login' to setup account.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/decorators.py", line 74, in _wrapped_func
    return func(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/decorators.py", line 57, in _decorator
    val = func(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 426, in _get_user_azure_id
    return _get_profile().get_current_account_user()
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 495, in get_current_account_user
    raise CLIError('There are no active accounts.')
knack.util.CLIError: There are no active accounts.

Suppress exception:
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 60, in <module>
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 53, in <module>
    sys.exit(exit_code)
SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/decorators.py", line 74, in _wrapped_func
    return func(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 436, in _get_azure_subscription_id
    return _get_profile().get_subscription_id()
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 519, in get_subscription_id
    return self.get_subscription(subscription)[_SUBSCRIPTION_ID]
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 502, in get_subscription
    raise CLIError(_AZ_LOGIN_MESSAGE)
knack.util.CLIError: Please run 'az login' to setup account.

To Reproduce:

Create a principal with certificate and run the command:

az login -o json --service-principal -u $PRINCIPAL_ID -p key.pem --tenant $TENANT_ID --debug

Expected Behavior

Environment Summary

Linux-5.4.0-42-generic-x86_64-with-debian-bullseye-sid
Python 3.6.10
Installer: DEB

azure-cli 2.9.0 *

Extensions:
subscription 0.1.3

Additional Context

I have used az feedback to capture environment information.

Issue Analytics

State:
Created 3 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

synergiatorcommented, Aug 18, 2020

thank you @jiasli , this solves my problem!

0reactions

jiaslicommented, Aug 18, 2020

This is the desired behavior if no subscription is found.

> az ad sp create-for-rbac --skip-assignment
{
  "appId": "1de50824-be65-4e35-b365-d6bf0fe8b41f",
  "displayName": "azure-cli-2020-08-18-02-10-56",
  "name": "http://azure-cli-2020-08-18-02-10-56",
  "password": "xxx",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

> az login --service-principal --username 1de50824-be65-4e35-b365-d6bf0fe8b41f --password xxx --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
No subscriptions found for 1de50824-be65-4e35-b365-d6bf0fe8b41f.

> echo $LASTEXITCODE
1

You may use --allow-no-subscriptions for such scenario.

> az login -h
...
Arguments
    --allow-no-subscriptions : Support access tenants without subscriptions. It's uncommon but
                               useful to run tenant level commands, such as 'az ad'.

> az login --service-principal --username 1de50824-be65-4e35-b365-d6bf0fe8b41f --password xxx --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a --allow-no-subscriptions
[
  {
    "cloudName": "AzureCloud",
    "id": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "isDefault": true,
    "name": "N/A(tenant level account)",
    "state": "Enabled",
    "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "user": {
      "name": "1de50824-be65-4e35-b365-d6bf0fe8b41f",
      "type": "servicePrincipal"
    }
  }
]

> echo $LASTEXITCODE
0

Please note that in the beta version, --allow-no-subscriptions has been deprecated, you may use --tenant-access instead:

> az login -h
...
Arguments
    ...
    --tenant-access                       : Only log in to the home tenant or the tenant specified
                                            by --tenant. CLI will not perform ARM operations to list
                                            tenants and subscriptions. Then you may run tenant-level
                                            commands, such as `az ad`, `az account get-access-
                                            token`.