Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

az account get-access-token fails in Azure Cloud Shell #3641

urosj opened this issue Jun 9, 2017 · 12 comments

az account get-access-token fails in Azure Cloud Shell #3641

urosj opened this issue Jun 9, 2017 · 12 comments


Copy link

urosj commented Jun 9, 2017


Outline the issue here:
Install the newer version of the az CLI client in the Azure cloud shell (the usual curl | bash install) and put it in the path. Try running:

$ az account get-access-token.

This produces "isMRRT" error: 
uros@Azure:~$ az account get-access-token 
Traceback (most recent call last):
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/", line 210, in execute
    result = expanded_arg.func(params)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/", line 289, in __call__
    return self.handler(*args, **kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/", line 488, in _execute_command
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/", line 686, in reraise
    raise value
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/", line 465, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/command_modules/profile/", line 54, in get_access_token
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/", line 334, in get_raw_token
    account[_TENANT_ID], resource)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/", line 522, in retrieve_token_for_user
    token_entry = context.acquire_token(resource, username, _CLIENT_ID)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 126, in acquire_token
    return self._acquire_token(token_func)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 109, in _acquire_token
    return token_func(self)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 124, in token_func
    return token_request.get_token_from_cache_with_refresh(user_id)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 350, in get_token_from_cache_with_refresh
    return self._find_token_from_cache()
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 128, in _find_token_from_cache
    return self._cache_driver.find(cache_query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 179, in find
    entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 112, in _load_single_entry_from_cache
    token = next(mrrt_tokens, None)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/", line 111, in <genexpr>
    mrrt_tokens = (x for x in potential_entries if x[TokenResponseFields.IS_MRRT])
KeyError: 'isMRRT'

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: curl | bash

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here:
az --version
azure-cli (2.0.7)

acr (2.0.5)
acs (2.0.7)
appservice (0.1.7)
batch (3.0.0)
billing (0.1.0)
cdn (0.0.3)
cloud (2.0.3)
cognitiveservices (0.1.3)
command-modules-nspkg (2.0.0)
component (2.0.5)
configure (2.0.7)
consumption (0.1.0)
core (2.0.7)
cosmosdb (0.1.7)
dla (0.0.7)
dls (0.0.7)
feedback (2.0.3)
find (0.2.3)
interactive (0.3.3)
iot (0.1.6)
keyvault (2.0.5)
lab (0.0.5)
monitor (0.0.5)
network (2.0.7)
nspkg (3.0.0)
profile (2.0.5)
rdbms (0.0.2)
redis (0.2.4)
resource (2.0.7)
role (2.0.5)
sf (1.0.2)
sql (2.0.4)
storage (2.0.7)
vm (2.0.7)

Python (Linux) 3.5.2 (default, Nov 17 2016, 17:05:23)
[GCC 5.4.0 20160609]

Python location '/home/uros/lib/azure-cli/bin/python'

OS Version: What OS and version are you using?
Answer here:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here:

@tjprescott tjprescott added Account az login/account Cloud Shell labels Jun 9, 2017
Copy link

yugangw-msft commented Jun 9, 2017

The get-access-token is not supported to be used in cloud-shell, but i will fix that still. EDIT The fix will be in adal-python though. The fix was made in CLI 1.0 integrated by cloud console

Copy link

Removing the milestone flag... The fix was merged into xplat and will be included in its upcoming release. At that time, cloud console will just integrate it
//cc:@balajikris @mayurid

@yugangw-msft yugangw-msft removed this from the Sprint 18 milestone Jul 5, 2017
Copy link

@yugangw-msft can you please clarify your answer. Why it is not supported in azure portal shell? if you'll fix it in adal-python (not sure what it is) - how can I use it in Azure Cloud Shell?

My use case - I'd like to get access token to run REST API calls to Application Insights data.

Copy link

yugangw-msft commented Jul 13, 2017

@SergeyKanzhelev, the fix was made in CLI 1.0(aka xplat), not in the adal-python which CLI depends on. I have corrected my old comment.
Cloud console doesn't manage the token used by CLI, rather just initializes the CLI with existing credentials used in the portal. get-access-token is a CLI command which retrieves it from the tokens cached by CLI itself

Copy link

SergeyKanzhelev commented Jul 13, 2017

So can you make cloud console generate the token, so one can use it to curl REST call from the console?

Copy link

I don't think cloud console ever exposes the token endpoint. CLI team doesn't own the console. Maybe you can open a separate issue with the details for why you need this. In the context of CLI, get-access-token is the way to go.
I am closing this issue, as through #4035, the login flow will be taken over by CLI 2.0 and I have verified the command works

Copy link

Can someone please explain why this doesn't work????

Copy link

@andrewb-ms it is working for me now. You can use it like this:

Copy link

This doesn't work for me:

PS Azure:> az account get-access-token
Could not retrieve token from local cache.

It works in Bash but not PowerShell. Seems pretty broken...

Copy link

@andrewb-ms, from the output you provided, the CLI integrated in the PowerShell is couple of versions older than the counter part in the Bash, hence you have missed out a few recent improvements, particularly the piece handling when the credential provided by console might not have id-tokens.
@jluk, where we can log an issue to track PowerShell should integrate newer CLI?

Copy link

jluk commented Nov 27, 2017

@HemantMahawar as FYI, I believe they prefer tracking here:

Copy link

And 7 months later, the problem still happens:
thang@Azure:~$ az ml env show -g MLModelHosting-rd-rg -n deploy1
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-efbb97af-236349040-krskc'
"Azure-cli-ml Version": "0.1.0a27.post3",
"Error": "Could not retrieve token from local cache."

Great work guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

8 participants