az account get-access-token fails in Azure Cloud Shell

[urosj]

Description

Outline the issue here:
Install the newer version of the az CLI client in the Azure cloud shell (the usual curl | bash install) and put it in the path. Try running:

$ az account get-access-token.

This produces "isMRRT" error: 
uros@Azure:~$ az account get-access-token 
'isMRRT'
Traceback (most recent call last):
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/application.py", line 210, in execute
    result = expanded_arg.func(params)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 289, in __call__
    return self.handler(*args, **kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 488, in _execute_command
    reraise(*sys.exc_info())
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/six.py", line 686, in reraise
    raise value
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 465, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/command_modules/profile/custom.py", line 54, in get_access_token
    resource=resource)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/_profile.py", line 334, in get_raw_token
    account[_TENANT_ID], resource)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/_profile.py", line 522, in retrieve_token_for_user
    token_entry = context.acquire_token(resource, username, _CLIENT_ID)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 126, in acquire_token
    return self._acquire_token(token_func)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 109, in _acquire_token
    return token_func(self)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 124, in token_func
    return token_request.get_token_from_cache_with_refresh(user_id)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/token_request.py", line 350, in get_token_from_cache_with_refresh
    return self._find_token_from_cache()
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/token_request.py", line 128, in _find_token_from_cache
    return self._cache_driver.find(cache_query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 179, in find
    entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 112, in _load_single_entry_from_cache
    token = next(mrrt_tokens, None)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 111, in <genexpr>
    mrrt_tokens = (x for x in potential_entries if x[TokenResponseFields.IS_MRRT])
KeyError: 'isMRRT'

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: curl | bash

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here:
az --version
azure-cli (2.0.7)

acr (2.0.5)
acs (2.0.7)
appservice (0.1.7)
batch (3.0.0)
billing (0.1.0)
cdn (0.0.3)
cloud (2.0.3)
cognitiveservices (0.1.3)
command-modules-nspkg (2.0.0)
component (2.0.5)
configure (2.0.7)
consumption (0.1.0)
core (2.0.7)
cosmosdb (0.1.7)
dla (0.0.7)
dls (0.0.7)
feedback (2.0.3)
find (0.2.3)
interactive (0.3.3)
iot (0.1.6)
keyvault (2.0.5)
lab (0.0.5)
monitor (0.0.5)
network (2.0.7)
nspkg (3.0.0)
profile (2.0.5)
rdbms (0.0.2)
redis (0.2.4)
resource (2.0.7)
role (2.0.5)
sf (1.0.2)
sql (2.0.4)
storage (2.0.7)
vm (2.0.7)

Python (Linux) 3.5.2 (default, Nov 17 2016, 17:05:23)
[GCC 5.4.0 20160609]

Python location '/home/uros/lib/azure-cli/bin/python'

OS Version: What OS and version are you using?
Answer here:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here:
bash

[yugangw-msft]

The get-access-token is not supported to be used in cloud-shell, but i will fix that still. EDIT The fix will be in adal-python though. The fix was made in CLI 1.0 integrated by cloud console

[yugangw-msft]

Removing the milestone flag... The fix was merged into xplat and will be included in its upcoming release. At that time, cloud console will just integrate it
//cc:@balajikris @mayurid

[SergeyKanzhelev]

@yugangw-msft can you please clarify your answer. Why it is not supported in azure portal shell? if you'll fix it in adal-python (not sure what it is) - how can I use it in Azure Cloud Shell?

My use case - I'd like to get access token to run REST API calls to Application Insights data.

[yugangw-msft]

@SergeyKanzhelev, the fix was made in CLI 1.0(aka xplat), not in the adal-python which CLI depends on. I have corrected my old comment.
Cloud console doesn't manage the token used by CLI, rather just initializes the CLI with existing credentials used in the portal. get-access-token is a CLI command which retrieves it from the tokens cached by CLI itself

[SergeyKanzhelev]

So can you make cloud console generate the token, so one can use it to curl REST call from the console?

[yugangw-msft]

I don't think cloud console ever exposes the token endpoint. CLI team doesn't own the console. Maybe you can open a separate issue with the details for why you need this. In the context of CLI, get-access-token is the way to go.
I am closing this issue, as through #4035, the login flow will be taken over by CLI 2.0 and I have verified the command works

[andrewb-ms]

Can someone please explain why this doesn't work????

[SergeyKanzhelev]

@andrewb-ms it is working for me now. You can use it like this: http://apmtips.com/blog/2017/09/19/query-multiple-applications/

[andrewb-ms]

This doesn't work for me:

PS Azure:> az account get-access-token
Could not retrieve token from local cache.
Azure:\

It works in Bash but not PowerShell. Seems pretty broken...

[yugangw-msft]

@andrewb-ms, from the output you provided, the CLI integrated in the PowerShell is couple of versions older than the counter part in the Bash, hence you have missed out a few recent improvements, particularly the piece handling when the credential provided by console might not have id-tokens.
@jluk, where we can log an issue to track PowerShell should integrate newer CLI?

[jluk]

@HemantMahawar as FYI, I believe they prefer tracking here: https://github.com/PowerShell/PSCloudConsole/issues

[thangduong]

And 7 months later, the problem still happens:
thang@Azure:~$ az ml env show -g MLModelHosting-rd-rg -n deploy1
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-efbb97af-236349040-krskc'
{
"Azure-cli-ml Version": "0.1.0a27.post3",
"Error": "Could not retrieve token from local cache."
}

Great work guys.