-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSAL Token Cache Multiple Token Problem - Enterprise Azure Account #918
Comments
@martinpsiddall If you use 'az login', can you specify the subscription_id you want to use and retry? Thank you very much!
|
kindly ping! |
Apologies Fred, been away on holiday. Unfortunately the suggested work-around presents the same MSAL error. |
Any further suggestions / debugging I can do ? |
@MartinSiddall After you log in, you need to specify which account subscription you use, such as "az account set-s sub_use_id". Thank you! |
Hi Fred this was the same suggested az login commands you made on the 14th July. As per my previous reply this has the same MSAL login error Azure CLI profile cannot be loaded - User 'xxxx' does not exist in MSAL token cache. Run |
"****" means the subscription ID you want to use. Thank you very much! |
I have no idea what you're referring to the User 'xxxx' bit is me removing my email address. I have tried the command you've suggested but they result in the same error. 14th July az login Does not work. Today, the same command in your comment is basically the same suggestion as the 14th of July. "az account set-s sub_use_id" Again results in the MSAL error. Thanks. |
I would like to know the ID after "az account set -s" that you specified to execute, and did you execute this command successfully? |
The command worked fine, with the relevant subscription ID. Again I've obfuscated the beginning of the ID from the first post as this is a public site. az login As an example. Thanks |
I will try again, Multiple accounts for one tenant. |
Yep thats what we / the team will have. Just as a FYI using an incorrect subscription id results in The subscription of 'xxxx' doesn't exist in cloud 'AzureCloud'. So the set -s works fine. Additionally the az account show ... also shows the correct subscription ID ... active subscription. |
Do you mean that the problem has been solved? |
No the problem still persists, just confirming that the az commands work. We still have the MSAL token cache error message. |
I have exactly the same issue. I would like to use the azurerm_inventory plugin. The plugin initializes just fine, but when executing the following command I get an error:
I login the following way. But the error persists. Executing commands using the Azure CLI works without issue.
I did some searching around, and found another issue which I believe might be related to this one: It suggests using different combinations of Azure CLI and the Python plugin azure-cli-core. Apparently there is a mismatch on how they store/access tokens in some versions. However, neither of the suggested combinations of versions worked for me. Additionaly the issue appears to be outdated, as the requirements for this collection reference fairly new versions. |
Just for reference my pip / apt package versions azure-cli-core==2.34.0 azure-cli/focal-updates,now 2.0.81+ds-4ubuntu0.2 all [installed] |
So fiddling about with versions i've managed to get my login issue fixed. This is a similar problem MS Article on registering repos ... removing of azure-cli apt package https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt Packages to obtain pip install azure-cli-core==2.30 Make sure that you az logout and then use az login --use-device-code |
Also works with latest packages PIP APT |
The problem can be caused by having access to multiple tenants with different accounts and then az login will just pick one of them, and if it picks the wrong one you get the "does not exist in MSAL token cache. Run az login." error. Solution is simple, specify the tenant at az login. You cannot specify a subscription there, so any attempted resolution above that talks about subscriptions is not going to work. Fix: |
SUMMARY
Whilst using an enterprise azure login (multiple subscriptions under a single tenant). The auth_sources property when set to use CLI fails with User 'xx' does not exist in MSAL token cache.
Using a standard azure subscription / 1-2-1 logon the azure modules work fine.
I suspect that this is because of the multiple tokens I obtain when logging in using the (now depreciated) function in azure_rm_common.py
self.log('Retrieving credentials from Azure CLI profile')
cli_credentials = self._get_azure_cli_credentials(subscription_id=params.get('subscription_id'))
return cli_credentials
Which in turn calls get_cli_profile() which is part of the azure-sdk-for-python
These functions are depreciated now ... and the documentation suggests moving to the Azure Identity client library for Python.
https://docs.microsoft.com/en-us/python/api/azure-common/azure.common.credentials?view=azure-python
I think the crux of the issue is that due to the multiple tokens received when using the AZ LOGIN command, we would need to be able to specify the subscription ID and tenant ID to correctly obtain the token from the cache.
ISSUE TYPE
COMPONENT NAME
azure_rm_common.py
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 20.04
STEPS TO REPRODUCE
You will require a AZ Login which has multiple tenants under the same subscription id.
Example of tokens obtained when logging in., you will note tenant id is the same ... but has multiple subscriptions.
Running the following module against the localhost.
EXPECTED RESULTS
Azure CLI profile cannot be loaded - User 'xxxx' does not exist in MSAL token cache.
The text was updated successfully, but these errors were encountered: