Could not retrieve credential from local cache for service principal ***. Please run 'az login' for this service principal."

[dkirrane]

SUMMARY

azure_rm_postgresqlfirewallrule auth_source cli no longer working

ISSUE TYPE

fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "Error retrieving resource group my-rg - Could not retrieve credential from local cache for service principal ***. Please run 'az login' for this service principal."}

COMPONENT NAME

azure_rm_postgresqlfirewallrule

ANSIBLE VERSION

ansible-4.8.0

COLLECTION VERSION

azure.azcollection:1.10.0

CONFIGURATION

- name: Configure PostgreSQL firewall rule
  azure_rm_postgresqlfirewallrule:
    auth_source: cli
    resource_group: "{{ resource_group }}"
    server_name: "{{ server_name }}"
    name: github-action
    start_ip_address: "{{ gh_runner_ip }}"
    end_ip_address: "{{ gh_runner_ip }}"
    state: "present"

OS / ENVIRONMENT

I suspect this maybe related to GitHub Actions Azure CLI login change: https://stackoverflow.com/questions/69895247/could-not-retrieve-credential-from-local-cache-for-service-principal-when-usin

But workaround posted here doesn't apply to Ansible.

      - uses: actions/checkout@v2

      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      # ... Install Ansible etc..

      - name: Ansible Run
        run: ansible-playbook -i hosts.ini playbook.yml

[asos-philc]

The issue affects all azure_rm resource types, not just azure_rm_postgresqlfirewallrule mentioned in the issue description.

As the link posted above explains, this issue has arisen because of the change of authentication library from ADAL to MSAL in Azure CLI 2.30:

https://docs.microsoft.com/en-us/cli/azure/msal-based-azure-cli

More specifically, the issue is seen when the version of Azure CLI installed has a mismatch with the version of the Python azure-cli-core module used with azure.azcollection, as specified in requirements-azure.
This is due to a different method of storing session tokens within the user's .Azure profile folder between the two authentication libraries.

e.g.

Azure CLI <2.30, azure-cli-core <2.30 does work
Azure CLI 2.30, azure-cli-core 2.26.1 (i.e. current version in requirements-azure) will produce the error in the issue title
Azure CLI 2.30, azure-cli-core 2.30 does work (tested by updating azure-cli-core after installing dependencies from requirements-azure)
Azure CLI <2.30, azure-cli-core 2.30 won't work (i.e. there will not be backwards compatibility with older Azure CLI versions on the host, once dependency specified in requirements-azure has moved up to azure-cli-core 2.30)

[wmudge]

related to Azure/azure-cli#19853

Thx @asos-philc -- I went with option 3 and it worked just fine.

[sirkubax]

related to Azure/azure-cli#19853

Thx @asos-philc -- I went with option 3 and it worked just fine.

pip install azure-cli-core==2.30
sudo apt-get install azure-cli=2.30.0-1~focal

[mdf-ido]

I was able to fix the issue in my user account. I have an azure devops agent that runs under another user and it is not working for the other user. I logged in as the az devops agent user and went with option 3 as well but didn't fix the issue even after:

ansible-galaxy collection install azure.azcollection --force pip install -r ~/.ansible/collections/ansible_collections/azure/azcollection/requirements-azure.txt pip install azure-cli-core==2.30 sudo apt-get install azure-cli=2.30.0-1~focal

I tried CLI and Credentials file but no dice.

Any help here is appreciated!

[Fred-sun]

@dkirrane @mdf-ido Did you specify a subscription_id to use when using I (auth_source=cli)?

az login
az account set -s ********************

[Fred-sun]

kindly ping!

[Fred-sun]

@dkirrane There is a problem that cannot install ansible and azure-cli at the same time. It is recommended that you use the following way to define credentials, Thank you!

~/.azure/credentials
[default]
subscription_id=
client_id=
secret=
tenant=

Or set env variables:
export AZURE_CLIENT_ID=
export AZURE_SECRET=
export AZURE_TENANT=
export AZURE_SUBSCRIPTION_ID=