-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login fails when run on a remote machine: PermissionError: [WinError 5] #20695
Comments
Thanks @MatisseHack for the extremely clear issue description and helpful analysis. According to https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-, error code Perhaps |
That seems like to be a common trend on most platforms.
Perhaps, MSAL EXtensions could and should catch all those different exceptions per platform, and then throw one unified exception (such as |
Yea, we had to allow a fallback to a plaintext file on all OSes, as requested by PowerShell. There is a never ending stream of corner cases where encryption at rest just isn't working. It's not related to headless mode, both DPAPI and KeyChain are available in headless mode. DPAPI I think is not available in virtualized Windows box. |
+1 azure CLI This blocks me while remotely provisioning on-premise machines via ansible (or anything really). I (probably; about to embark on this) have to work around the issue by authenticating as the service principal locally then copying up my That in turn means I need to carefully account for not accidentally publishing my own personal directory (leaking creds I really wouldn't want on my infra) and I'm not sure how to do that yet. |
@petemounce, though I don't fully understand your scenario, but copying |
Are you able to suggest a way to run As in, supply that secret some other way, one that is less prone to leak into a log and become not-secret? |
This page describes a |
I don't think so; both the bash and powershell variants are interactive. My scenario is headless and non-interactive; an automated process with no human interaction. |
Then you would want this: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-managed-identity |
@rayluo thanks for the steer. I'm unfamiliar with Azure so far. When I read https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-can-i-use-managed-identities-for-azure-resources it seems to suggest managed identities can only be used when working within Azure resources (I mean; inside Azure-hosted things). Is that accurate? I'm working with on-premise machines, and so I'm not sure this is applicable. This is my first foray into Azure (from AWS and GCP) though; I'm very much still in learning mode. |
This is true. For a on-premise headless/non-interactive environment, we recommend using service principal login as described in the link @rayluo shared: https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal If you care about credential leak, please make sure Bash doesn't echo the command themselves. That it, DON'T RUN:
Also make sure logging is NOT turned on via |
Describe the bug
az login
fails when run on a remote machine with the following output:The same command works if I connect to the machine via RDP and run it manually. I wonder if the issue has something to do with being run non-interactively? In my case I'm running this script on a remote machine using Packer.
To Reproduce
Run the following script on a remote machine:
Expected behavior
az login
should complete successfully.Environment summary
Additional context
az login
works if encryption is turned off first.az config set core.encrypt_token_cache=false
It seems like the underlying issue is with the
CryptProtectData
function returningERROR_ACCESS_DENIED
.The text was updated successfully, but these errors were encountered: