az account get-access-token returns expiresOn as null for managed identity

[jiasli]

Receiving "Error parsing Token Expiration Date" when using Azure CLI 2.30.0 with managed identity:

• did azure change some auth or format?  getporter/azure-plugins#39
• [BUG]Resource Processor error running porter install when creating Base Workspace microsoft/AzureTRE#1067

e51bc50c-7b3f-453a-bcec-30a3266982e8: Error context message = Error: could not save the pending action's status, the bundle was not executed:could not read storage schema document:Failed to login with Azure CLI:Error parsing Token Expiration Date \"\":Error parsing expiration date \"\".  

CloudShell Error: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"

CLI Error: parsing time \"\" as \"2006-01-02 15:04:05.999999\": cannot parse \"\" as \"2006\"

Originally posted by @squillace in #19480 (comment)

[jiasli]

Root cause

A quick search on "Error parsing Token Expiration Date" suggests some command is using Azure Go SDK to call az account get-access-token to get the access token and expiresOn: https://github.com/search?q=%22Error+parsing+Token+Expiration+Date%22&type=code

https://github.com/Azure/azure-sdk-for-go/blob/47db7e2935fc81ededd911e1b268c8729d5af38d/sdk/azidentity/azure_cli_credential.go#L163

	tokenExpirationDate, err := parseExpirationDate(t.ExpiresOn)
	if err != nil {
		return nil, fmt.Errorf("Error parsing Token Expiration Date %q: %+v", t.ExpiresOn, err)
	}

But Azure CLI 2.30.0 fails to set expiresOn for managed identity or Cloud Shell (which uses managed identity internally for authentication):

$ az account get-access-token
{
  "accessToken": "...",
  "expiresOn": null,
  "subscription": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "tokenType": "Bearer"
}

This will be fixed by #20219.

Workaround

There are 2 possible workarounds:

Log in with user or service principal account

Run az login with user or service principal account. This also applies to Azure Cloud Shell.

Install Azure CLI 2.29.2

You may also install Azure CLI 2.29.2 where az account get-access-token returns expiresOn correctly for managed identity. You may follow https://docs.microsoft.com/en-us/cli/azure/install-azure-cli to install specific versions of Azure CLI.

References

• az account get-access-token: Use epoch expiresOn/expires_on #19700

[sdebruyn]

I can reproduce this, expiresOn is always null when using an MSI

[jiasli]

@sdebruyn, could you try the workaround and let us know if that works?

[sdebruyn]

I can confirm both workarounds work for me

[etiedem]

Just as a note for others with the workaround of installing the older 2.29.2 version on Mac. I had to delete the ~/.azure folder first.

[jiasli]

@etiedem, thanks for the information. I am a little bit curious:

1. How did you install the old Azure CLI 2.29.2 on MacOS? Did you install with brew?
2. I am not aware that MacOS can support managed identity. How did you get managed identity work for MacOS?
3. ~/.azure/azureProfile.json doesn't change between Azure CLI 2.29.2 and 2.30.0 for managed identity. Could you share the error you got?

[etiedem]

@jiasli -

1. I did install with brew
   curl https://raw.githubusercontent.com/Homebrew/homebrew-core/7607de411f8ac0ad926ff2caadf8a9abf713cec8/Formula/azure-cli.rb > $(find $(brew --repository) -name azure-cli.rb) && brew reinstall azure-cli
2. My use case was more for the Azure SDK portion of your comment.
3. I was using the Python SDK and received the following:

AzureCliCredential.get_token failed: Unexpected output from Azure CLI: 'AccessToken

followed by my actual access token.

[jiasli]

Thanks for the information.

I tested with a docker:

# brew --repository
/home/linuxbrew/.linuxbrew/Homebrew

# find $(brew --repository) -name azure-cli.rb
/home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/azure-cli.rb

It is indeed pretty smart to replace /home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/Formula/azure-cli.rb with https://raw.githubusercontent.com/Homebrew/homebrew-core/7607de411f8ac0ad926ff2caadf8a9abf713cec8/Formula/azure-cli.rb and use brew reinstall azure-cli, given it is difficult to install an old version (Homebrew/discussions#155). 😸

---

As for your problem, I don't think this is the same problem as the one in this PR. This PR's issue only happens to managed identity.

1. Could you share the output of az account get-access-token?
2. Have you configured your default output to be table? I guess it is because --output json doesn't work that caused your problem (Global Arguments stop working in Python 3.9.8 #20269). This issue has been fixed.