[ACR] Fix Azure/azure-cli#33698: az acr login: Fix ARM token exchange fallback for AzureML MSI/SSO#33699
az acr login: Fix ARM token exchange fallback for AzureML MSI/SSO#33699Conversation
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
… AzureML MSI/SSO
az acr login: Fix ARM token exchange fallback for AzureML MSI/SSO
a0x1ab
left a comment
There was a problem hiding this comment.
CI Review — PR #33699
Live test (Tester): No changed test files were detected in this PR (tests/**/test_*.py), so the azdev test --live step had nothing to run. This is informational only — not a blocker.
CI failure — action required:
- ❌ Test Homebrew Formula — https://github.com/Azure/azure-cli/runs/84989975666 (Azure DevOps build details)
Please investigate why the Homebrew formula test is failing for this change (e.g. formula/checksum generation, packaging metadata, or a dependency pinned incorrectly) and push a fix. Note the companion Build Homebrew Formula step succeeded, so the regression is specific to the formula test step — check the linked Azure DevOps build log for the exact assertion/error before making changes.
All other completed checks are currently passing (71/72 completed checks green); several packaging checks are still in progress and will be re-evaluated on the next pass.
Posted by agent-assist (autonomous bug-fix pipeline).
|
@copilot the automated CI and live-test review on this PR found failures. Please look into the requested changes here: #33699 (review) and push a fix. Posted by agent-assist (autonomous bug-fix pipeline). |
Investigated the Root cause analysis:
What I found:
Fix pushed: Added the |
|
ACR |
a0x1ab
left a comment
There was a problem hiding this comment.
Automated review summary — PR #33699
CI status: ✅ All 48 checks passed, no failures, nothing pending.
Live test (Tester): live-test.yml workflow run
(https://github.com/Azure/issue-sentinel/actions/runs/28658380150) failed
before any test code executed, due to an infrastructure/auth issue: the
classic PAT stored in the azclibotfinegrainedpat Key Vault
(azclibot-pat) is being rejected by the Microsoft Open Source enterprise
policy (HTTP 403: ... forbids access via a personal access tokens (classic) if the token's lifetime is greater than 8 days). This happened while the
job was simply trying to fetch the PR's head SHA via gh api, so no live
test selectors were ever resolved or run.
This is not a code issue in this PR and is outside the scope of what the
Copilot coding agent can fix (it requires rotating/shortening the lifetime
of the azclibot-pat secret in Key Vault, a maintainer/infra action).
Given all CI checks are green, this PR is not being blocked on the tester
step; a maintainer should confirm live-test coverage manually before merge,
and the azclibot-pat secret should be refreshed to restore automated live
testing for this and future PRs.
Posted by agent-assist (autonomous bug-fix pipeline).
Related command
az acr loginDescription
In AzureML Compute Instance environments using
az login --identity(MSI/SSO),az acr loginfails because acquiring an AAD token scoped tohttps://containerregistry.azure.netreturns an SSO error. ACR's/oauth2/exchangeendpoint accepts ARM management tokens (https://management.azure.com/) equally well, and that token is available in these environments — this path worked in 2.81.0.The regression was introduced in #31798, which removed the conditional ARM-token fallback and hardcoded the ACR audience as the only option.
Fix: In
_get_aad_token_after_challenge, catchCLIErrorfromprofile.get_raw_token(resource=<acr-scope>)and retry with no resource (ARM management endpoint). The ACR-specific audience is still preferred; ARM is only used when the scoped request fails.Testing Guide
On an AzureML Compute Instance with MSI login:
Unit test
test_get_docker_credentials_arm_token_fallbackadded: mocksget_raw_tokento raiseCLIErroron the ACR-scope call and verifies login succeeds via the ARM fallback.History Notes
[ACR]
az acr login: Fix ARM token exchange fallback for AzureML MSI/SSO environmentsThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.