Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Issue] AZURE_CREDENTIALS not set in new Github workflow, login fails #1399

Closed
1 task done
pamelafox opened this issue Jan 15, 2023 · 4 comments
Closed
1 task done

[Issue] AZURE_CREDENTIALS not set in new Github workflow, login fails #1399

pamelafox opened this issue Jan 15, 2023 · 4 comments
Assignees
@wbreza
Labels
pipelines templates
Milestone
Future Release

Comments

@pamelafox
Copy link
Member

Output from azd version

Whatever's in mcr.microsoft.com/azure-dev-cli-apps:latest

Output from az version

N/A

Describe the bug

I updated my Github workflow to use the new login scheme, re-ran azd pipeline config locally on the very latest azd (azd version 0.5.0-beta.3), and pushed the Github secrets.
Unfortunately, the azd provision stage is ending in:

ERROR: loading environment: initializing environment: reading subscription id: no default response for prompt 'Please select an Azure Subscription to use:'

You can see the full output here, I even added --debug flag to help:
https://github.com/pamelafox/msdocs-django-postgresql-sample-app-azd/actions/runs/3925438619/jobs/6710359802

To Reproduce

Expected behavior

I expected a successful deploy. I ported a very similar repo today as well (https://github.com/pamelafox/msdocs-flask-postgresql-sample-app-azd), and its workflows are fine, which is why I'm really flummoxed by this issue.
@ghost ghost added the needs-triage For new issues label Jan 15, 2023
@pamelafox pamelafox changed the title [Issue] Error with azd provision in new Github workflow [Issue] AZURE_CREDENTIALS not set in new Github workflow, login fails Jan 16, 2023
@pamelafox
Copy link
Member Author

Update: I looked through the azd code and have a better understanding of the issue. I was getting an error on azd provision in this repo because my repo had an old AZURE_CREDENTIALS secret that didn't match the other env variables. Once I delete that secret, I get an earlier error on the login stage:

Run $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
  $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
  Write-Host "::add-mask::$($info.clientSecret)"
  
  azd login `
    --client-id "$($info.clientId)" `
    --client-secret "$($info.clientSecret)" `
    --tenant-id "$($info.tenantId)"
  shell: pwsh -command ". '{0}'"
  env:
    AZURE_CREDENTIALS: 
Warning: Can't add secret mask for empty string in ##[add-mask] command.
Error: flag needs an argument: --tenant-id

That's because there is no AZURE_CREDENTIALS secret, and that's because Github pipeline config defaults to FCIS:

#1086

Is there guidance on how to update workflow for fcis? The latest release notes recommend an incompatible login flow:

- name: Log in with Azure
  run: |
    $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
    Write-Host "::add-mask::$($info.clientSecret)"

    azd login `
      --client-id "$($info.clientId)" `
      --client-secret "$($info.clientSecret)" `
      --tenant-id "$($info.tenantId)"
  shell: pwsh
  env:
    AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}

@pamelafox
Copy link
Member Author

pamelafox commented Jan 16, 2023
edited
Loading

Ah I see the official samples use a more complex workflow than whats suggested in the release notes, to account for both auth types:
https://github.com/Azure-Samples/todo-python-mongo-aca/blob/main/.github/workflows/azure-dev.yml

      - name: Log in with Azure (Federated Credentials)
        if: ${{ env.AZURE_CLIENT_ID != '' }}
        run: |
          azd login `
            --client-id "$Env:AZURE_CLIENT_ID" `
            --federated-credential-provider "github" `
            --tenant-id "$Env:AZURE_TENANT_ID"
        shell: pwsh

      - name: Log in with Azure (Client Credentials)
        if: ${{ env.AZURE_CREDENTIALS != '' }}
        run: |
          $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
          Write-Host "::add-mask::$($info.clientSecret)"
          azd login `
            --client-id "$($info.clientId)" `
            --client-secret "$($info.clientSecret)" `
            --tenant-id "$($info.tenantId)"
        shell: pwsh
        env:
          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}

Can someone update the release notes, please?

This appears to be the full diff needed:

Azure-Samples/todo-python-mongo-aca@5381c01#diff-b0a856ddf67919f52d7a1db1bc5c4edf96e59c4761717ca93aeb11239456c2d7

@ghost ghost removed the needs-triage For new issues label Jan 17, 2023
@rajeshkamal5050 rajeshkamal5050 added this to the Future Release milestone Jan 17, 2023
@rajeshkamal5050
Copy link

@wbreza can you take a look and update release notes as needed?

@wbreza
Copy link
Contributor

wbreza commented Jan 17, 2023

Updated release notes with instructions on the required updates for your github workflow depending whether you are using Client Credentials or Federated Credentials

@wbreza wbreza closed this as completed Jan 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wbreza wbreza

Labels
pipelines templates
Projects
None yet
Milestone
Future Release
Development

No branches or pull requests
3 participants
@pamelafox @wbreza @rajeshkamal5050