Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error "az login: error: 'issuer'" with "az login --service-principal"

See original GitHub issue

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug az login --service-principal failed with the error message az login: error: 'issuer'.

The same Service Principal Credentials JSON proved to work successfully in Azure Login GitHub Actions

However, the effectively identical az login --service-principal command that worked in https://github.com/Azure/login/blob/master/src/main.ts#L38 failed with azure-cli 2.8.0.

To Reproduce

$ cat "$SERVICE_PRINCIPAL_SECRET"
{
	"clientId": "...",
	"clientSecret": "...",
	"subscriptionId": "...",
	"tenantId": "..."
}

$ az login --service-principal -u "$(jq '.clientId' "$SERVICE_PRINCIPAL_SECRET")" -p "$(jq '.clientSecret' "$SERVICE_PRINCIPAL_SECRET")"  --tenant "$(jq '.tenantId' "$SERVICE_PRINCIPAL_SECRET")"
usage: az login [-h] [--verbose] [--debug] [--only-show-errors] [--output {json,jsonc,yaml,yamlc,table,tsv,none}] [--query JMESPATH] [--username USERNAME] [--password PASSWORD] [--service-principal] [--tenant TENANT]
                [--allow-no-subscriptions] [-i] [--use-device-code] [--use-cert-sn-issuer]
az login: error: 'issuer'

Expected behavior Login Successful.

Environment Summary

macOS-10.15.4-x86_64-i386-64bit
Python 3.8.3
Installer: HOMEBREW

azure-cli 2.8.0

Issue Analytics

State:
Created 3 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

4reactions

haokangacommented, Jun 24, 2020

Resolved. This is a pure Linux scripting error on the client side. This is caused by the double quotes produced by the jq command.

The snippet below will work with az login --service-principal

$ CLIENT_ID=$(jq '.clientId' "$SERVICE_PRINCIPAL_SECRET" --raw-output)
$ CLIENT_SERCRET=$(jq '.clientSecret' "$SERVICE_PRINCIPAL_SECRET" --raw-output)
$ TENANT_ID=$(jq '.tenantId' "$SERVICE_PRINCIPAL_SECRET" --raw-output)
$ az login --service-principal -u "$CLIENT_ID" -p "$CLIENT_SERCRET" --tenant "$TENANT_ID"
Login successful

The following command will throw "az login: error: 'issuer'" error because the tenant ID is invalid.

$ CLIENT_ID=$(jq '.clientId' "$SERVICE_PRINCIPAL_SECRET" --raw-output)
$ CLIENT_SERCRET=$(jq '.clientSecret' "$SERVICE_PRINCIPAL_SECRET" --raw-output)
$ TENANT_ID=$(jq '.tenantId' "$SERVICE_PRINCIPAL_SECRET")
$ az login --service-principal -u "$CLIENT_ID" -p "$CLIENT_SERCRET" --tenant "$TENANT_ID"
usage: az login [-h] [--verbose] [--debug] [--only-show-errors] [--output {json,jsonc,yaml,yamlc,table,tsv,none}] [--query JMESPATH] [--username USERNAME] [--password PASSWORD] [--service-principal] [--tenant TENANT]
                [--allow-no-subscriptions] [-i] [--use-device-code] [--use-cert-sn-issuer]
az login: error: 'issuer'

As a conclusion, there is no technical bug on Azure CLI. Azure CLI may consider providing more verbose and actionable error message when the tenant ID is not valid.

1reaction

jiaslicommented, Jul 24, 2020

@haokanga, glad to know the issue is solved. You are correct - jq’s output is still in JSON, which is why it is quoted. See https://github.com/stedolan/jq/issues/1735.

$ jq '.clientId' "$SERVICE_PRINCIPAL_SECRET"
"45ee948b-9214-4d23-9a52-1a641c7c8009"

$ jq '.clientId' "$SERVICE_PRINCIPAL_SECRET" --raw-output
45ee948b-9214-4d23-9a52-1a641c7c8009

This is also revealed in the --debug log:

$ az login --service-principal -u "$(jq '.clientId' "$SERVICE_PRINCIPAL_SECRET")" -p "$(jq '.clientSecret' "$SERVICE_PRINCIPAL_SECRET")"  --tenant "$(jq '.tenantId' "$SERVICE_PRINCIPAL_SECRET")" --debug
Command arguments: ['login', '--service-principal', '-u', '"45ee948b-9214-4d23-9a52-1a641c7c8009"', '-p', '"xxx"', '--tenant', '"54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"', '--debug']

You may also append --raw-output to each $() sub-command:

az login --service-principal -u "$(jq '.clientId' "$SERVICE_PRINCIPAL_SECRET" --raw-output)" -p "$(jq '.clientSecret' "$SERVICE_PRINCIPAL_SECRET" --raw-output)"  --tenant "$(jq '.tenantId' "$SERVICE_PRINCIPAL_SECRET" --raw-output)"

I will try to improve the error message.

Top Results From Across the Web

Jenkins azure deploy error: az login error issuer - Stack Overflow

I have tried to reproduce your issue by following this Jenkins document but was successfully able to echo environment variables that are set ......

Sign in with a service principal ; $AzCred = Get-Credential ; app-id> az login --service-principal ; $AzCred.UserName -p ; $AzCred.

Authenticating via the Azure CLI | Guides | hashicorp/azuread

If you're using a Service Principal (for example via az login --service-principal ) you should instead authenticate via the Service Principal directly, either ......

AZ Cli in Windows Bash environment have intermittent issue ...

fix profile error az cloud set --name AzureCloud --profile latest az login -u $CLIENT_ID --service-principal --tenant $TENANT_ID -p $CLIENT_SECRET >/dev/ ...

Azure Script step freezes at Azure CLI - Octopus Deploy

I disabled AZ CLI logging via environment variable, which appears to have ... If I create a Script step and login via using...