Unable to test user interactive login due to: Your device is required to be managed to access this resource

[zzhxiaofeng]

Describe the issue:
Azure Dev deploys failed for todo-python-mongo-terraform and todo-nodejs-mongo-terraform

Repro Steps:
Run command: bash ./test-templates.sh -t <template_name> -b staging -c false.

Error Message:

Environment:
OS: linux, codespaces, DevContainer in VS Code
Template:
https://github.com/Azure-Samples/todo-python-mongo-terraform
https://github.com/Azure-Samples/todo-nodejs-mongo-terraform
Branch: staging
Azd version: 0.3.0-beta.6-daily.1947218 (commit e20ee4e)

Expected behavior:
Azure Dev deploys successfully for todo-python-mongo-terraform and todo-nodejs-mongo-terraform.

@rajeshkamal5050 for notification.

[rajeshkamal5050]

@HadwaAbdelhalem can you try these terraform templates from codespaces?

[rajeshkamal5050]

@HadwaAbdelhalem to try these terraform templates from Codespaces and will provide an update.

[HadwaAbdelhalem]

@hattan and I looked into this issue turned out to be related to a managed device policy on the target subscription. In order to use AZ CLI authentication for terraform, azurerm calls az ad signed-in-user show cmd which was failing due to code space not being a managed device.

The workaround is to use a service principal for Terraform Auth by setting the below arm env vars inside the code space before running azd up or provision commands:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

more details available here

please test it and let me know.

[zedy-wj]

@HadwaAbdelhalem - We have tested it to use service principal for Terraform Auth and it works fine in codespace, devcontainer and linux desktop environments when executing command: bash ./test-templates.sh -t <template_name> -b staging -c false -s <subscriptionId>. Besides, we have tried to use az login without device code flow in codespace and devcontainer environments and it also works fine.

[weikanglim]

@danieljurek @rajeshkamal5050 We likely want to create a separate AAD tenant to be able to test user login scenarios in codespace, devcontainer environments. I think this will be more important as #1022 lands.

[pamelafox]

I also run into this on todo-python-mongo (non-terraform) when trying to login with my @microsoft.com account inside Codespaces:

@pamelafox ➜ /workspaces/todo-python-mongo (main ✗) $ azd pipeline config
Using pipeline provider: GitHub
Creating or updating service principal az-dev-11-08-2022-18-24-51.

Error: failed to create or update service principal: failed retrieving application list, failed executing request: AzureCLICredential: ERROR: AADSTS530003: Your device is required to be managed to access this resource.
Trace ID: 884883b4-21c4-4259-ad97-d794c18d9f00
Correlation ID: b0449ee7-6df3-4797-8f97-26b9ea134453
Timestamp: 2022-11-08 18:24:51Z
To re-authenticate, please run:
az login --scope https://graph.microsoft.com/.default

It was fine with my non-microsoft.com account.

[vhvb1989]

I also run into this on todo-python-mongo (non-terraform) when trying to login with my @microsoft.com account inside Codespaces:

@pamelafox ➜ /workspaces/todo-python-mongo (main ✗) $ azd pipeline config
Using pipeline provider: GitHub
Creating or updating service principal az-dev-11-08-2022-18-24-51.

Error: failed to create or update service principal: failed retrieving application list, failed executing request: AzureCLICredential: ERROR: AADSTS530003: Your device is required to be managed to access this resource.
Trace ID: 884883b4-21c4-4259-ad97-d794c18d9f00
Correlation ID: b0449ee7-6df3-4797-8f97-26b9ea134453
Timestamp: 2022-11-08 18:24:51Z
To re-authenticate, please run:
az login --scope https://graph.microsoft.com/.default

It was fine with my non-microsoft.com account.

@pamelafox , You can use this workaround: #1006 (comment)
For interactive login in codespaces

[v-xuto]

@danieljurek This issue also occurs in the following cases, and this issue can be solved by logging in with the service principle and setting the following arm env vars. More details check here.

• Arm Env Vars:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

• Cases:

  • OS: Devcontainer in VS Code, Codespaces.
  • Template: todo-nodejs-mongo-terraform.
  • Branch: staging.
  • Azd version: 0.4.0-beta.1 (commit 2bf7a52)
  • Repro steps:
    1.Run azd init -t todo-nodejs-mongo-terraform -b staging.
    2.Run azd up

[myurasov]

Is it fixed in latest CLI yet?

[v-xuto]

@myurasov Terraform templates needs to install az cli additionally. After installation, log in with both azd login and az login commands, and this issue will not be reproduced with latest CLI. Besides, we will close this issue.