Comments (22)
Is it possible to release this as a patch fix sooner? This potentially impacts every use of the azure/login
GitHub Action.
Also, the workaround only works if you're using the azure/cli
Action. If you use the az
command directly in your scripts, it won't work. This use case is fairly common since hosted GitHub Actions runners come with the latest version of the az
command preinstalled. Without this, users have to override the version and we have to hope they remember to undo their workarounds later.
from azure-cli.
Azure CLI 2.60.0 has been released just now with this issue fixed:
https://github.com/Azure/azure-cli/blob/dev/src/azure-cli-core/HISTORY.rst#2600
Fix #28737: Fix token cache for service principal authentication (#28747)
The rollout status for Azure CLI on GitHub Actions and Azure DevOps images can be found at https://github.com/actions/runner-images
from azure-cli.
Workarounds
Adopt either workarounds:
-
Use service principal secret for authentication:
-
[GitHub Actions only] In Azure CLI Action
azure/cli@v2
, specifyazcliversion
to use an older version of Azure CLI below 2.59.0, such as 2.58.0: https://github.com/marketplace/actions/azure-cli-action
from azure-cli.
@jiasli is working on the new build right now.
from azure-cli.
@jiasli, Even after upgrading to Azure CLI 2.60.0, I am facing the same issue. I am running the Azure CLI task from Azure devops and it expires after 10 mins and I get ERROR: AADSTS700024: Client assertion is not within its valid time range
.
Since the images still uses 2.59.0, I do az upgrade --yes
before running dotnet test
.
from azure-cli.
Azure CLI 2.60.0 has been deployed to GitHub Actions and Azure DevOps images: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#cli-tools
from azure-cli.
We plan to fix this issue in the next Azure CLI release: https://github.com/Azure/azure-cli/milestone/141
Official Release: 04/30/2024
Azure CLI version: 2.60.0
For now, to get unblocked, please follow the instructions at #28737 (comment).
from azure-cli.
@jiasli Thank you for the update. Just for clarity, what, specifically, will get fixed? Will we still need the code to continue requesting the OID token in the background or will we just need to use Azure CLI 2.60.0?
from azure-cli.
@jiasli would it be possible to release this in a patch fix?
from azure-cli.
@jiasli is there anyway to promote this as a hotfix so releases that rely on az cli can work again? The current time limit is braking a lot of builds :(
from azure-cli.
Awesome! Any ETA for this release?
from azure-cli.
Is there any workaround for Azure/[email protected] while the hot fix makes it to production, since there doesn't seem to be a way to change the cli version this action uses?
from azure-cli.
Service principal with a secret is not feasible for our case, due to issues transmitting and storing the value. Changing azure/cli version is not feasible due to using azure/login and azure/powershell only
from azure-cli.
Changing azure/cli version is not feasible due to using azure/login and azure/powershell only
This 5-minute-expiration issue only affects azure/cli
action. azure/login
and azure/powershell
are not affected. If your task lasts longer than 60 minutes, this is currently a known limitation: #28708
from azure-cli.
@jiasli is working on the new build right now.
@yonzhan any update on this? When can we expect a release?
from azure-cli.
Build to Cloud Shell: 04/25/2024
Official Release: 04/30/2024
Azure CLI version: 2.60.0
from azure-cli.
This is quite a problematic issue for us and makes service connections based on Workload Identity federation unusable. Please add a test suite for regression so that it doesn't happen again.
from azure-cli.
The issue also happens with Azure PowerShell on the latest MS Hosted Azure DevOps agents, example:
Set-AzFirewall -AzureFirewall $azfwAllocated | Select-Object Name, …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ClientAssertionCredential authentication failed: A configuration issue
| is preventing authentication - check the error message from the server
| for details. You can modify the configuration in the application
| registration portal. See https://aka.ms/msal-net-invalid-client for
| details. Original exception: AADSTS700024: Client assertion is not
| within its valid time range. Current time: 2024-04-26T07:47:14.2804194Z,
| assertion valid from 2024-04-26T06:52:04.0000000Z, expiry time of
| assertion 2024-04-26T07:02:04.0000000Z. Review the documentation at
| https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: <REDACTED> Correlation ID: <REDACTED>
Also AzureCli@2
task is affected.
from azure-cli.
Build to Cloud Shell: 04/25/2024 Official Release: 04/30/2024 Azure CLI version: 2.60.0
Can I fetch the Cloud build to ingest it in a pipeline decorator?
from azure-cli.
@jiasli, Even after upgrading to Azure CLI 2.60.0, I am facing the same issue. I am running the Azure CLI task from Azure devops and it expires after 10 mins and I get
ERROR: AADSTS700024: Client assertion is not within its valid time range
.Since the images still uses 2.59.0, I do
az upgrade --yes
before runningdotnet test
.
+1
from azure-cli.
@bcarthic, are you requesting a data-plane access token? If so, please see #28708 (comment).
from azure-cli.
@bcarthic, are you requesting a data-plane access token? If so, please see #28708 (comment).
@jiasli
What happens if I intend to kick off a long-running operation that starts by obtaining an access token and concludes five hours later? This scenario is typical for us, as we use Packer to create VM images for our build servers. Are there any plans to implement a process in Azure CLI that automatically exchanges a refresh token for an access token in the background? Packer is configured to use already logged in account via Azure CLi. With the current fix, the access token expires 1 Hour later and there is no chance to refreshing that :(
from azure-cli.
Related Issues (20)
- devops extension does not work with MSI HOT 3
- Recent deployment broke index.json extension list / az extension list-available HOT 4
- functionapp deployment github-actions add: "Unable to retrieve workflow template." HOT 3
- Remove public preview warning from --probe-threshold + add additional warning message for --number-of-probes or --threshold property HOT 2
- Customer feedback | az network application-gateway redirect-config create | AppGW rules command has priority rules but redirect-config doesn't have priority HOT 1
- Cannot install azure-cli with psutil v6 HOT 2
- Command az feature register --namespace Microsoft.Compute --name SIGSoftDelete does not work, remains in pending state HOT 2
- Install script does not work on elementaryOS HOT 3
- az login does not work from inside devcontainer HOT 3
- az version / az --version should result in same output HOT 1
- az storage account create | incorrect / misleading error message when HOT 3
- az vm show sku vs portal Operating system HOT 1
- "az appconfig kv export --destination appservice" produces "Failed to read key-values from appservice" when DOCKER_REGISTRY_SERVER_PASSWORD exists in app service HOT 3
- ADAL package, which is EOL, included in latest az-cli HOT 7
- Login error using az login for mooncake HOT 4
- CLI Endpoint Support for Managed HSM (Fix Bug with CLI Plain Text Keys) HOT 2
- VM/VMSS to support v2 Version of Azure Metadata Security Protocol HOT 4
- After I install the Azure CLI using winget, the az command is not working at all HOT 2
- Unable to run 'az ad user show --id [email protected]' on AzureML Ubuntu VM HOT 4
- Add Azure Service Fabrik Cluster Endpoint to `az cloud show` command HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-cli.