Weird error on login - 'dict' object cannot be interpreted as an integer

[colemickens]

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)

        rm -rf $HOME/.local/lib/python3.6
        mkdir $HOME/.local/lib/python3.6/site-packages
        pip install --no-cache-dir --user --upgrade --pre azure-cli --extra-index-url https://azureclinightly.blob.core.windows.net/packages
        pip install --user --upgrade --pre azure-cli-acr azure-cli-keyvault --extra-index-url https://azureclinightly.blob.core.windows.net/packages

CLI Version: What version of the CLI and modules are installed? (Use az --version)

azure-cli (2.0.2+1.dev20170406)

acr (2.0.0+1.dev20170406)
acs (2.0.2+1.dev20170406)
appservice (0.1.2+1.dev20170406)
batch (2.0.0+1.dev20170406)
cloud (2.0.0+1.dev20170406)
component (2.0.0+1.dev20170406)
configure (2.0.2+1.dev20170406)
container (0.1.2+1.dev20170406)
core (2.0.2+1.dev20170406)
documentdb (0.1.2+1.dev20170406)
feedback (2.0.0+1.dev20170406)
find (0.1.2rc1+1.dev20170312)
iot (0.1.2+1.dev20170406)
keyvault (2.0.0+1.dev20170406)
lab (0.0.1+1.dev20170406)
monitor (0.0.1+1.dev20170406)
network (2.0.2+1.dev20170406)
nspkg (2.0.0+1.dev20170406)
profile (2.0.2+1.dev20170406)
redis (0.1.1b3+1.dev20170406)
resource (2.0.2+1.dev20170406)
role (2.0.1+1.dev20170406)
sql (2.0.0+1.dev20170406)
storage (2.0.2+1.dev20170406)
vm (2.0.2+1.dev20170406)

Python (Linux) 3.6.1 (default, Mar 27 2017, 00:27:06)
[GCC 6.3.1 20170306]

OS Version: What OS and version are you using?
Arch Linux, up to date

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
zsh

---

Description

$ az login --service-principal --username xxx --password xxx --tenant xxx
'dict' object cannot be interpreted as an integer
Traceback (most recent call last):
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/main.py", line 37, in main
    cmd_result = APPLICATION.execute(args)
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/core/application.py", line 157, in execute
    result = expanded_arg.func(params)
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 367, in _execute_command
    raise ex
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 362, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/command_modules/profile/custom.py", line 79, in login
    tenant)
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 135, in find_subscriptions_on_login
    tenant))
  File "/home/cole/.local/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 500, in save_service_principal_cred
    self._service_principal_creds.pop(matched[0])
TypeError: 'dict' object cannot be interpreted as an integer

If I rm -rf ~/.azure first, it goes away. Maybe a bug in merging stuff together?

Also, weird though, since my script sets AZURE_CONFIG_DIR to a temp dir, so it should be like new every time... I wasn't properly exporting it, when I do, I avoid this issue since each script run gets its own config directory.

[colemickens]

Updated the post, when I set AZURE_CONFIG_DIR properly, I avoid this issue, so again, I think it's a result of the code that merges the new accounts into the existing json files when logging in after the first time.

[derekbekoe]

Related to #2760 (comment).
It appeared in tests but this is the first bug report that shows it affects the product as well.

[msleal]

Hi, I could reproduce this...
Everytime I need to use the Azure CLI (e.g.: az login) using the serviceprincipal, I need to delete the .azure directory to the login work (Login interactive works without removing the .azure directory).
I have not identified which file causes the error (maybe az.sess??)...

A last note: the file .azure/accessTokens.json holds the credentials in clear, that is how it is supposed to be? I mean, it has just read permissions for my user, but seems to be a security risk. The Azure CLI uses this to re-validate the session or something?

Thank you!

[yugangw-msft]

@msleal, @colemickens, I am fixing this bug. Do apologize for the inconvenience.

the file .azure/accessTokens.json holds the credentials in clear

We cache the SP secret, because the token issued for SP carries no refresh token. It is not reasonable for CLI to prompt you for creds every one hour, and actually it is not even possible as the token can expire in the middle of the command session.
CLI sets the file permission at 600, meaning other users will not be able to read it. I can't say the plain file has no security risk but it is still reasonably secure . Also we don't persist user's creds at all.