Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

azure devops extension to support --service-principal login

See original GitHub issue

Describe the bug az login --service-principal --username xxx --password yyy --tenant zzz –> Login goes successful.

az devops configure --defaults organization=https://xyz project=xyz –> This works fine.

az pipelines build list -o table --verbose --debug –> Error:

Current cloud config:
AzureCloud
trying to get token (temp) for tenant 05d75c05-fa1a-42e7-9cf1-eb416c396f2d and user fc7bc748-404e-4f72-84e2-95cb6f2edb2f
attempting to read file /root/.azure/accessTokens.json as utf-8-sig
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - Authority:Performing instance discovery: ...
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - Authority:Performing static instance discovery
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - Authority:Authority validated via static instance discovery
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 2e75d6f5-b4a6-46da-b9ca-0a2b5cea63eb - CacheDriver:Found 0 potential entries.
not able to get token from az login
Could not retrieve token from local cache. Please run 'az login'.
Traceback (most recent call last):
  File "/root/.azure/cliextensions/azure-devops/azext_devops/dev/common/services.py", line 157, in get_token_from_az_login
    auth_token = profile.get_access_token_for_resource(user, tenant, '499b84ac-1321-427f-aa17-267ca6975798')
  File "/usr/lib/python2.7/site-packages/azure/cli/core/_profile.py", line 506, in get_access_token_for_resource
    username, tenant, resource)
  File "/usr/lib/python2.7/site-packages/azure/cli/core/_profile.py", line 916, in retrieve_token_for_user
    " Please run 'az login'." if not in_cloud_console() else ''))
CLIError: Could not retrieve token from local cache. Please run 'az login'.

As per ERROR, when service principal is used for az login, then token is not retrieved. However it works fine if normal user is used. I have these steps in automation pipeline, where there is no human interaction.

To Reproduce Azure Cli Version: 2.0.76

Azure-Devops extension version: Use az --version Look for something like- Extensions: azure-devops (0.14.0)

Steps to reproduce the behavior:

  1. az login
  2. az devops configure defaults.
  3. Try any az pipelines command
  4. See error

Expected behavior It should return data

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:3
  • Comments:23 (2 by maintainers)

github_iconTop GitHub Comments

22reactions
PhilipSkinnercommented, Jan 16, 2020

Using PAT tokens is not acceptable to us (as a company) or the clients we develop software for.

Can you please make your tools use service principals consistently? Its very hard to explain to a client why this doesn’t work when it should be working.

13reactions
las3rcommented, Sep 14, 2020

Why was this put “on the backlog”? In my honest opinion this is one of the basic authentication flows that are supported all through Azure, with Azure DevOps being an outlier.

For reference, we are trying to create Azure Repos from a CI-pipeline to automate our “request a repo” feature. Without an SPN we will need to generate a PAT. This PAT will need to be an Administrator PAT, which leads to a host of security issues, let alone issues when the administrators “leave” the organisation, rendering our pipelines broken. The alternative is just as bad, a service accounts - something we are trying to move away from.

When can we expect Service principal-based authentication in the Azure CLI for DevOps?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Programmatically connecting to Azure Devops with a Service ...
You can sign in using a service principal as you might with a pipeline, as long as the account being used is able...
Read more >
Service connections in Azure Pipelines - Microsoft Learn
You can create a connection from Azure Pipelines to external and remote services for executing tasks in a job.
Read more >
Sign in with a Personal Access Token (PAT), Azure DevOps CLI
You can sign in using an Azure DevOps personal access token (PAT). ... However, you can't sign in as the service principal via...
Read more >
Managed Identities and Service Principal support
This allows applications that use Managed Identities or Service Principals to connect to Azure DevOps and perform actions on behalf of ...
Read more >
Authenticate your Azure deployment pipeline by using service ...
Learn how to create, manage, and grant permissions to service principals, which enable ... authorization for a service principal to deploy Azure resources....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Feature Request] az devops service-endpoint does not accept secrets

Next page

publishing and downloading artifacts from azure devops using the CLI on Redhat 7.4