CLI is logging on each command when service-principal is used #13276
Comments
ghost
added
needs-triage
customer-reported
|
@jiasli please take a look |
|
Thanks for the feedback. It is by-design that service principal's access token is not cached and is retrieved every time a call is made. azure-cli/src/azure-cli-core/azure/cli/core/_profile.py Lines 1129 to 1133 in 764332b We will consider implementing this during the Azure Identity adoption process. The functionality is already in Azure Identity's code: token = self._client.get_cached_token(scopes) |
|
So there is no way to reduce the number of login calls? It would not be a problem if #7465 would not be happening. We have a powershell script with a dozen of az commands such as az acr repository show-tags and az acr helm push and it is taking too long to execute them. |
|
Thanks for the details. I see where the problem is - it is more about the execution time of each command when retrieving the access token, instead the number of retrieving access token calls. 😉 Still, I am not sure if #7465 is relevant. As in #7465, only the first call should be slow, then the following calls should be normal. Yes, reducing the number of retrieving access token calls may help, but it will take months before we migrate to MSAL and use the token cache for service principals. I can't reproduce on a normal Linux or Windows machine and I will do some test on DevOps. At the same time, could you share
|
|
Raw log file: Here is the script that causes troubles. We are building an umbrella chart that contains a few helm charts but we are building only these that have changed since last build. The rest is pulled from container registry and retagged. Basically we are searching for previously pushed docker images in the container repository, pulling them, retagging with a new tag and pushing back to the repository. Same operation is repeated for a few repositories. We could reduce number of az commands by building umbrella chart without aligning child charts versions, however it simplifies the script. We were not expecting so big performance hit. param (
[string]$semVer
)
function Get-ScriptDirectory { Split-Path $MyInvocation.ScriptName }
$tagName = $semVer
$version = (git describe --abbrev=0);
$branchName = $tagName.Substring($tagName.IndexOf("-"));
$branchName = $branchName.Substring(0,$branchName.IndexOf("."))
echo "Found base version: ${version}"
echo "Found found feature branch: ${branchName}"
az acr login --debug -n xxx
# Get all services configured in this monorepo
$repositories = az acr repository list --debug -n xxx --query "[?contains(@, 'xxx0') || contains(@,'xxx1') || contains(@,'xxx2') || contains(@,'xxx3') || contains(@,'xxx4')]"
[System.Collections.ArrayList]$repositoriesArray = $repositories -split '\r?\n'
$repositoriesArray.RemoveAt(0)
$repositoriesArray.RemoveAt($repositoriesArray.count-1)
foreach ($repositoryElement in $repositoriesArray) {
#Find last tag in feature branch
$repositoryElement = $repositoryElement.Trim(',').Trim(' ').Trim('"')
echo "Trying to find tag for ${repositoryElement}"
$foundTag = (az acr repository show-tags --debug -n xxx --repository $repositoryElement --orderby time_desc --query "[?contains(@, '${branchName}')] | [0]")
if($foundTag.length -eq 0) {
echo "Not found tag for feature branch. Looking for master branch"
$foundTag = (az acr repository show-tags --debug -n xxx --repository $repositoryElement --orderby time_desc --query "[?contains(@, '$version') && !contains(@, '-')] | [0]")
}
$foundTag = $foundTag.Trim('"')
echo "Found tag ${foundTag}"
if ($tagName -eq $foundTag) {continue;}
echo "Tagging repository ${repositoryElement}:${foundTag} with version ${tagName}"
docker pull xxx.azurecr.io/${repositoryElement}:${foundTag}
docker tag xxx.azurecr.io/${repositoryElement}:${foundTag} xxx.azurecr.io/${repositoryElement}:${tagName};
docker push xxx.azurecr.io/${repositoryElement}:${tagName};
$path = Join-Path (Get-ScriptDirectory) ${repositoryElement}/charts/${repositoryElement}/
helm init --client-only
helm package --version ${tagName} ${path}
az acr helm push --debug -n xxx ${repositoryElement}-${tagName}.tgz --force
}Example of long login execution (over 2 minutes): |
|
@bsuchorowski, thanks for the detailed log. Judging from the log, Azure CLI is running as expected. Only this Other calls seem to be normal. While I will try to internally contact AAD team, could you file a support request for AAD as well and provide this issue #13276 and the log?
You may cc me in the email thread. My email address is jiasli at microsoft.com. Thanks for understanding. |
|
That is exactly our issue - https://login.microsoftonline.com is slow. I am not able to create a support request right now. I need to contact somebody from my organization because right now I am receiving: Your cloud service provider manages your subscription. |
|
Just FYI - we have just migrated from Self-Hosted agents to VMSS agents with the same scripts in use. I will let you know it it behaves the same way. |
|
Still this simple script takes 30-35% of our overall pipepline execution time. |
|
Hi @bsuchorowski, I understand this issue is troubling you. As each Azure CLI command runs in a separate process, there is no in-memory cache to save the access token of a service principal. So the https://login.microsoftonline.com:443 call is necessary. You will need to create a support ticket to AAD or Azure Network team to check why connection to https://login.microsoftonline.com:443 is slow. Thanks for your understanding. |
yonzhan
added
feature-request
Account
|
After migrating to MSAL Python (#19853), Azure CLI now utilizes MSAL's token cache to save service principal's access tokens: azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_authentication.py Lines 138 to 140 in 21266e0 Azure CLI first calls This is the same pattern as MSAL's sample code: # Firstly, looks up a token from cache
# Since we are looking for token for the current app, NOT for an end user,
# notice we give account parameter as None.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"]) |
jiasli
changed the title
2.5.0 and older
Describe the bug
We are experiencing same issues with login taking too long as described here #7465. We use self-hosted Azure Devops agent and AzureCLI@2 task. From time to time it takes a few minutes to login. As we are doing a lot of quering from our container registry via az acr command, we notices that our script (that contains ~10 az commands) takes 10+ minutes to finish and it is only querying simple things such as repository tags and so on. I tried to reproduce it with --debug option and I noticed that every command tries to login and hangs there for a while. I am wondering why it does not find any cached accessTokens in accessToken.json (entry for service-principal does not have _clientId property over there).
It happens on every az command and it takes a lot of time.
To Reproduce
Expected behavior
The text was updated successfully, but these errors were encountered: