New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

az account get-access-token fails in Azure Cloud Shell #3641

Closed
urosj opened this Issue Jun 9, 2017 · 12 comments

Comments

Projects
None yet
7 participants
@urosj

urosj commented Jun 9, 2017

Description

Outline the issue here:
Install the newer version of the az CLI client in the Azure cloud shell (the usual curl | bash install) and put it in the path. Try running:

$ az account get-access-token.

This produces "isMRRT" error: 
uros@Azure:~$ az account get-access-token 
'isMRRT'
Traceback (most recent call last):
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/main.py", line 36, in main
    cmd_result = APPLICATION.execute(args)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/application.py", line 210, in execute
    result = expanded_arg.func(params)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 289, in __call__
    return self.handler(*args, **kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 488, in _execute_command
    reraise(*sys.exc_info())
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/six.py", line 686, in reraise
    raise value
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/commands/__init__.py", line 465, in _execute_command
    result = op(client, **kwargs) if client else op(**kwargs)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/command_modules/profile/custom.py", line 54, in get_access_token
    resource=resource)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/_profile.py", line 334, in get_raw_token
    account[_TENANT_ID], resource)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/azure/cli/core/_profile.py", line 522, in retrieve_token_for_user
    token_entry = context.acquire_token(resource, username, _CLIENT_ID)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 126, in acquire_token
    return self._acquire_token(token_func)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 109, in _acquire_token
    return token_func(self)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/authentication_context.py", line 124, in token_func
    return token_request.get_token_from_cache_with_refresh(user_id)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/token_request.py", line 350, in get_token_from_cache_with_refresh
    return self._find_token_from_cache()
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/token_request.py", line 128, in _find_token_from_cache
    return self._cache_driver.find(cache_query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 179, in find
    entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 112, in _load_single_entry_from_cache
    token = next(mrrt_tokens, None)
  File "/home/uros/lib/azure-cli/lib/python3.5/site-packages/adal/cache_driver.py", line 111, in <genexpr>
    mrrt_tokens = (x for x in potential_entries if x[TokenResponseFields.IS_MRRT])
KeyError: 'isMRRT'

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: curl | bash

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here:
az --version
azure-cli (2.0.7)

acr (2.0.5)
acs (2.0.7)
appservice (0.1.7)
batch (3.0.0)
billing (0.1.0)
cdn (0.0.3)
cloud (2.0.3)
cognitiveservices (0.1.3)
command-modules-nspkg (2.0.0)
component (2.0.5)
configure (2.0.7)
consumption (0.1.0)
core (2.0.7)
cosmosdb (0.1.7)
dla (0.0.7)
dls (0.0.7)
feedback (2.0.3)
find (0.2.3)
interactive (0.3.3)
iot (0.1.6)
keyvault (2.0.5)
lab (0.0.5)
monitor (0.0.5)
network (2.0.7)
nspkg (3.0.0)
profile (2.0.5)
rdbms (0.0.2)
redis (0.2.4)
resource (2.0.7)
role (2.0.5)
sf (1.0.2)
sql (2.0.4)
storage (2.0.7)
vm (2.0.7)

Python (Linux) 3.5.2 (default, Nov 17 2016, 17:05:23)
[GCC 5.4.0 20160609]

Python location '/home/uros/lib/azure-cli/bin/python'

OS Version: What OS and version are you using?
Answer here:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here:
bash

@yugangw-msft

This comment has been minimized.

Show comment
Hide comment
@yugangw-msft

yugangw-msft Jun 9, 2017

Contributor

The get-access-token is not supported to be used in cloud-shell, but i will fix that still. EDIT The fix will be in adal-python though. The fix was made in CLI 1.0 integrated by cloud console

Contributor

yugangw-msft commented Jun 9, 2017

The get-access-token is not supported to be used in cloud-shell, but i will fix that still. EDIT The fix will be in adal-python though. The fix was made in CLI 1.0 integrated by cloud console

@yugangw-msft

This comment has been minimized.

Show comment
Hide comment
@yugangw-msft

yugangw-msft Jul 5, 2017

Contributor

Removing the milestone flag... The fix was merged into xplat and will be included in its upcoming release. At that time, cloud console will just integrate it
//cc:@balajikris @mayurid

Contributor

yugangw-msft commented Jul 5, 2017

Removing the milestone flag... The fix was merged into xplat and will be included in its upcoming release. At that time, cloud console will just integrate it
//cc:@balajikris @mayurid

@yugangw-msft yugangw-msft removed this from the Sprint 18 milestone Jul 5, 2017

@SergeyKanzhelev

This comment has been minimized.

Show comment
Hide comment
@SergeyKanzhelev

SergeyKanzhelev Jul 13, 2017

Member

@yugangw-msft can you please clarify your answer. Why it is not supported in azure portal shell? if you'll fix it in adal-python (not sure what it is) - how can I use it in Azure Cloud Shell?

My use case - I'd like to get access token to run REST API calls to Application Insights data.

Member

SergeyKanzhelev commented Jul 13, 2017

@yugangw-msft can you please clarify your answer. Why it is not supported in azure portal shell? if you'll fix it in adal-python (not sure what it is) - how can I use it in Azure Cloud Shell?

My use case - I'd like to get access token to run REST API calls to Application Insights data.

@yugangw-msft

This comment has been minimized.

Show comment
Hide comment
@yugangw-msft

yugangw-msft Jul 13, 2017

Contributor

@SergeyKanzhelev, the fix was made in CLI 1.0(aka xplat), not in the adal-python which CLI depends on. I have corrected my old comment.
Cloud console doesn't manage the token used by CLI, rather just initializes the CLI with existing credentials used in the portal. get-access-token is a CLI command which retrieves it from the tokens cached by CLI itself

Contributor

yugangw-msft commented Jul 13, 2017

@SergeyKanzhelev, the fix was made in CLI 1.0(aka xplat), not in the adal-python which CLI depends on. I have corrected my old comment.
Cloud console doesn't manage the token used by CLI, rather just initializes the CLI with existing credentials used in the portal. get-access-token is a CLI command which retrieves it from the tokens cached by CLI itself

@SergeyKanzhelev

This comment has been minimized.

Show comment
Hide comment
@SergeyKanzhelev

SergeyKanzhelev Jul 13, 2017

Member

So can you make cloud console generate the token, so one can use it to curl REST call from the console?

Member

SergeyKanzhelev commented Jul 13, 2017

So can you make cloud console generate the token, so one can use it to curl REST call from the console?

@yugangw-msft

This comment has been minimized.

Show comment
Hide comment
@yugangw-msft

yugangw-msft Jul 18, 2017

Contributor

I don't think cloud console ever exposes the token endpoint. CLI team doesn't own the console. Maybe you can open a separate issue with the details for why you need this. In the context of CLI, get-access-token is the way to go.
I am closing this issue, as through #4035, the login flow will be taken over by CLI 2.0 and I have verified the command works

Contributor

yugangw-msft commented Jul 18, 2017

I don't think cloud console ever exposes the token endpoint. CLI team doesn't own the console. Maybe you can open a separate issue with the details for why you need this. In the context of CLI, get-access-token is the way to go.
I am closing this issue, as through #4035, the login flow will be taken over by CLI 2.0 and I have verified the command works

@andrewb-ms

This comment has been minimized.

Show comment
Hide comment
@andrewb-ms

andrewb-ms Nov 27, 2017

Can someone please explain why this doesn't work????

andrewb-ms commented Nov 27, 2017

Can someone please explain why this doesn't work????

@SergeyKanzhelev

This comment has been minimized.

Show comment
Hide comment
@SergeyKanzhelev
Member

SergeyKanzhelev commented Nov 27, 2017

@andrewb-ms it is working for me now. You can use it like this: http://apmtips.com/blog/2017/09/19/query-multiple-applications/

@andrewb-ms

This comment has been minimized.

Show comment
Hide comment
@andrewb-ms

andrewb-ms Nov 27, 2017

This doesn't work for me:

PS Azure:> az account get-access-token
Could not retrieve token from local cache.
Azure:\

It works in Bash but not PowerShell. Seems pretty broken...

andrewb-ms commented Nov 27, 2017

This doesn't work for me:

PS Azure:> az account get-access-token
Could not retrieve token from local cache.
Azure:\

It works in Bash but not PowerShell. Seems pretty broken...

@yugangw-msft

This comment has been minimized.

Show comment
Hide comment
@yugangw-msft

yugangw-msft Nov 27, 2017

Contributor

@andrewb-ms, from the output you provided, the CLI integrated in the PowerShell is couple of versions older than the counter part in the Bash, hence you have missed out a few recent improvements, particularly the piece handling when the credential provided by console might not have id-tokens.
@jluk, where we can log an issue to track PowerShell should integrate newer CLI?

Contributor

yugangw-msft commented Nov 27, 2017

@andrewb-ms, from the output you provided, the CLI integrated in the PowerShell is couple of versions older than the counter part in the Bash, hence you have missed out a few recent improvements, particularly the piece handling when the credential provided by console might not have id-tokens.
@jluk, where we can log an issue to track PowerShell should integrate newer CLI?

@jluk

This comment has been minimized.

Show comment
Hide comment
@jluk

jluk Nov 27, 2017

Contributor

@HemantMahawar as FYI, I believe they prefer tracking here: https://github.com/PowerShell/PSCloudConsole/issues

Contributor

jluk commented Nov 27, 2017

@HemantMahawar as FYI, I believe they prefer tracking here: https://github.com/PowerShell/PSCloudConsole/issues

@thangduong

This comment has been minimized.

Show comment
Hide comment
@thangduong

thangduong Jun 20, 2018

And 7 months later, the problem still happens:
thang@Azure:~$ az ml env show -g MLModelHosting-rd-rg -n deploy1
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-efbb97af-236349040-krskc'
{
"Azure-cli-ml Version": "0.1.0a27.post3",
"Error": "Could not retrieve token from local cache."
}

Great work guys.

thangduong commented Jun 20, 2018

And 7 months later, the problem still happens:
thang@Azure:~$ az ml env show -g MLModelHosting-rd-rg -n deploy1
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-efbb97af-236349040-krskc'
{
"Azure-cli-ml Version": "0.1.0a27.post3",
"Error": "Could not retrieve token from local cache."
}

Great work guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment