Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR: AADSTS700024: Client assertion is not within its valid time range #180

Open
guidoiaquinti opened this issue Nov 26, 2021 · 54 comments
Assignees
Labels
bug Something isn't working enhancement New feature or request external oidc P1 Some scenario broken but workaround exists

Comments

@guidoiaquinti
Copy link

guidoiaquinti commented Nov 26, 2021

馃憢 Hi! I鈥檓 using the azure/login action for CD and I鈥檓 often getting an error when the job execution takes more than a couple of minutes from the initial login.

ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2021-11-26T09:44:41.0193003Z, expiry time of assertion 2021-11-26T09:31:56.0000000Z.

Is there a way to extend the validity of the token via a parameter? The aws-actions/configure-aws-credentials action does it via a role-duration-seconds flag:

The default session duration is 6 hours when using an IAM User to assume an IAM Role [..] . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created.

ref: https://github.com/aws-actions/configure-aws-credentials/blob/master/README.md#assuming-a-role

Thank you! 馃檱

@guidoiaquinti guidoiaquinti added the need-to-triage Requires investigation label Nov 26, 2021
@BALAGA-GAYATRI BALAGA-GAYATRI added question Further information is requested and removed need-to-triage Requires investigation labels Nov 29, 2021
@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Dec 2, 2021

@kjyam98 @N-Usha @udayxhegde Is this Doable in Azure?

@udayxhegde
Copy link

udayxhegde commented Dec 3, 2021

@BALAGA-GAYATRI I am not sure I understand the question: what is Doable in Azure? The issue seems to be that the github token has expired when it is presented to Azure AD

@guidoiaquinti
Copy link
Author

guidoiaquinti commented Dec 3, 2021

@udayxhegde the problem I鈥檓 trying to solve is customise the expiration time of the token. This is useful if you plan to run operations on the Azure platform with timeframes longer than the standard validity.

Example:

  1. Provisioning of the AKS cluster
  2. deploy a stack
  3. execute e2e tests
  4. destruction of the AKS cluster

If the timeframe between steps 1 and 4 is longer than the maximum validity of the token, you will encounter an error similar to the one I posted above.

It would be useful to customise the token validity via azure/login. This is something that other cloud platforms already support.

Example:

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
        role-duration-seconds: 3600

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Dec 13, 2021

Hey @guidoiaquinti, This is currently not being implemented in OIDC login mechanism. If you want to leverage the auto refresh mechanism of token, you may use the SPN login by setting your deployment credentials using - https://github.com/Azure/login#configure-a-service-principal-with-a-secret
In this way you will not face token expiration issue.

@guidoiaquinti
Copy link
Author

guidoiaquinti commented Dec 13, 2021

Hey @guidoiaquinti, This is currently not being implemented in OIDC login mechanism. If you want to leverage the auto refresh mechanism of token, you may use the SPN login by setting your deployment credentials using - https://github.com/Azure/login#configure-a-service-principal-with-a-secret In this way you will not face token expiration issue.

Thank you for your reply Balaga 馃檱

Any plan to add this feature to the Azure roadmap? I'm trying to avoid generating and hardcoding long-term secrets if possible.

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Dec 14, 2021

Yes @guidoiaquinti. The refresh token mechanism is yet to be implemented.

@BALAGA-GAYATRI BALAGA-GAYATRI added enhancement New feature or request and removed question Further information is requested labels Dec 14, 2021
@guidoiaquinti
Copy link
Author

guidoiaquinti commented Dec 14, 2021

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Dec 14, 2021

Yes. But we can't commit to a specific timeline for this right now. We will keep you informed.

@github-actions
Copy link

github-actions bot commented Dec 28, 2021

This issue is idle because it has been open for 14 days with no activity.

@github-actions github-actions bot added the idle Inactive for 14 days label Dec 28, 2021
@kaverma kaverma added the oidc label Jan 18, 2022
@kjyam98 kjyam98 removed their assignment Jan 28, 2022
@kjyam98
Copy link

kjyam98 commented Jan 28, 2022

@BALAGA-GAYATRI please assign to udayxhegde

@github-actions github-actions bot removed the idle Inactive for 14 days label Jan 28, 2022
@udayxhegde
Copy link

udayxhegde commented Jan 28, 2022

@kjyam98, that is not the right assignment

@BALAGA-GAYATRI please assign to udayxhegde

@kjyam98 , @BALAGA-GAYATRI: what are you expecting by assigning to me? did you have a specific design in mind that you need my help?

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Jan 31, 2022

@kjyam98, that is not the right assignment

@BALAGA-GAYATRI please assign to udayxhegde

@kjyam98 , @BALAGA-GAYATRI: what are you expecting by assigning to me? did you have a specific design in mind that you need my help?

@udayxhegde
Sorry for the confusion. This was already closed over email. We will be working with the CLI team for the changes required in CLI and in Action for the auto-refresh mechanism for addressing the same. Have assigned back the issue to my team.

@github-actions
Copy link

github-actions bot commented Feb 14, 2022

This issue is idle because it has been open for 14 days with no activity.

@github-actions github-actions bot added the idle Inactive for 14 days label Feb 14, 2022
@lpalerm
Copy link

lpalerm commented Apr 1, 2022

Can this be documented in the federated credentials setup steps? We are having the same issue.

@github-actions github-actions bot removed the idle Inactive for 14 days label Apr 1, 2022
@github-actions
Copy link

github-actions bot commented Apr 15, 2022

This issue is idle because it has been open for 14 days with no activity.

@github-actions github-actions bot added the idle Inactive for 14 days label Apr 15, 2022
@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented Oct 10, 2022

Still necessary

@github-actions github-actions bot removed the idle Inactive for 14 days label Oct 10, 2022
@github-actions
Copy link

github-actions bot commented Oct 24, 2022

This issue is idle because it has been open for 14 days with no activity.

@github-actions github-actions bot added the idle Inactive for 14 days label Oct 24, 2022
@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented Oct 24, 2022

Still necessary (this is fun 馃憤)

@github-actions github-actions bot removed the idle Inactive for 14 days label Oct 24, 2022
@RenatoMartins-tomtom
Copy link

RenatoMartins-tomtom commented Oct 27, 2022

bump again. More than one year in the making? Plenty of docs about github actions + azure using OIDC (perfect, no need to rotate credentials). And the pipeline can run for negligible < 10 minutes?
https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

Token policies, as mentioned, have no effect. No defaults changed on the tenant, and the token is valid for 1 hour... https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#access-id-and-saml2-token-lifetime-policy-properties

@sandrochristiaan
Copy link

sandrochristiaan commented Oct 27, 2022

@RenatoMartins-tomtom I totally agree, it is a bit weird the difference between reality and what is being propagated in the documentation.

I would be quite happy to just have a 'draft' timeline on when to expect possible work to be done on this issue :|

Please can someone please provide a real answer on what we can expect?

@udayxhegde
Copy link

udayxhegde commented Oct 28, 2022

The tokens you get for the Application registration should be valid for an hour, not less than that. If anyone has tokens expiring less than an hour, can you provide more details on your action and where it is expiring?

Also: federation on managed identities is in public preview, and these tokens should work even if the actions take 5 hours. Please see if that addresses your scenario in a better way

@RenatoMartins-tomtom
Copy link

RenatoMartins-tomtom commented Oct 28, 2022

Hi @udayxhegde . The error I get is similar to this:

ClientAssertionCredential authentication failed: A
     | configuration issue is preventing authentication - check the
     | error message from the server for details. You can modify the
     | configuration in the application registration portal. See
     | https://aka.ms/msal-net-invalid-client for details.  Original
     | exception: AADSTS700024: Client assertion is not within its
     | valid time range. Current time: 2022-10-26T06:11:15.1049397Z,
     | assertion valid from 2022-10-26T06:01:13.0000000Z, expiry time
     | of assertion 2022-10-26T06:06:13.0000000Z. Review the
     | documentation at

The action is as simple as this

 runs-on: ubuntu-latest
    steps:

    - name: Checkout self
      uses: actions/checkout@v2

    - name: Login to Azure 
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        enable-AzPSSession: true 
        allow-no-subscriptions: true
    
    - name: Scan eligible groups for member count
      shell: pwsh
      env:
        TENANT_ID: xyz
        STORAGE_ACCOUNT_NAME: 'pimcompliancedata'
        STORAGE_CONTAINER_NAME: 'pim-daily-scan-results'
        
      run: |
        .\scripts\scan-member-count.ps1 -storageAccountName $env:STORAGE_ACCOUNT_NAME -storageAccountContainer $env:STORAGE_CONTAINER_NAME

And the PS script being run is just calling a bunch of Get-AzAdGroupMember for all AD groups starting with a given prefix (in a foreach-object -parallel). And this happens every time the action takes more than 10 mins. Tenant settings are per default (which should make the token valid for 1 hour). OIDC federation is setup as the documentation linked above asks to do ("scenario" is "github actions deploying azure resources").

@arnemorten
Copy link

arnemorten commented Oct 28, 2022

I experienced this problem when using az acr login. We build multiple images so sometimes it takes more than 5 minutes before we can push the next image. We solved it by just running az acr login multiple times. Did not see this behavior before we switched to federated credentials with azure/login@v1.

@RenatoMartins-tomtom I think if you can workaround this issue by using the az cli commands instead of Get-AzAdGroupMember. I believe az cli automatically refreshes the tokens for you.

@cwe1ss
Copy link

cwe1ss commented Oct 28, 2022

Here's my error with a sample workflow. As you can see, this does just log in and wait for 11 minutes between two calls to the Az PowerShell module.

name: 'TEST'

on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:

  deploy:
    runs-on: ubuntu-latest
    environment: platform

    steps:

    - uses: actions/checkout@v3

    - uses: azure/login@v1
      with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          enable-AzPSSession: true

    - name: 'Deploy Azure resources'
      uses: azure/powershell@v1
      with:
        inlineScript: |
          "Calling Get-AzVm"
          Get-AzVm
          "Sleep start"
          Start-Sleep -Seconds 660
          "Sleep stop"
          "Calling Get-AzVm"
          Get-AzVm
          "Done"
        azPSVersion: "8.2.0"

Output from azure/login:

Show output

2022-10-28T08:12:27.5734334Z ##[group]Run azure/login@v1
2022-10-28T08:12:27.5734597Z with:
2022-10-28T08:12:27.5734991Z client-id: ***
2022-10-28T08:12:27.5735275Z tenant-id: ***
2022-10-28T08:12:27.5735565Z subscription-id: ***
2022-10-28T08:12:27.5735817Z enable-AzPSSession: true
2022-10-28T08:12:27.5736072Z environment: azurecloud
2022-10-28T08:12:27.5736320Z allow-no-subscriptions: false
2022-10-28T08:12:27.5736614Z audience: api://AzureADTokenExchange
2022-10-28T08:12:27.5736859Z ##[endgroup]
2022-10-28T08:12:28.6273343Z Using OIDC authentication...
2022-10-28T08:12:28.6974981Z Federated token details:
2022-10-28T08:12:28.6975674Z issuer - https://token.actions.githubusercontent.com
2022-10-28T08:12:28.6976257Z subject claim - repo:cwe1ss/msa-template:environment:platform
2022-10-28T08:12:28.6981058Z [command]/usr/bin/az cloud set -n azurecloud
2022-10-28T08:12:30.1968287Z Done setting cloud: "azurecloud"
2022-10-28T08:12:31.7047442Z Running Azure PS Login
2022-10-28T08:12:31.7089422Z [command]/usr/bin/pwsh -Command try {
2022-10-28T08:12:31.7090020Z $ErrorActionPreference = "Stop"
2022-10-28T08:12:31.7090580Z $WarningPreference = "SilentlyContinue"
2022-10-28T08:12:31.7092921Z $output = @{}
2022-10-28T08:12:31.7094749Z $data = Get-Module -Name Az.Accounts -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1
2022-10-28T08:12:31.7095423Z $output['AzVersion'] = $data.Version.ToString()
2022-10-28T08:12:31.7096004Z $output['Success'] = "true"
2022-10-28T08:12:31.7096670Z }
2022-10-28T08:12:31.7096935Z catch {
2022-10-28T08:12:31.7097400Z $output['Error'] = $.exception.Message
2022-10-28T08:12:31.7097661Z }
2022-10-28T08:12:31.7097962Z return ConvertTo-Json $output
2022-10-28T08:13:06.3608603Z {
2022-10-28T08:13:06.3608940Z "AzVersion": "2.9.1",
2022-10-28T08:13:06.3609586Z "Success": "true"
2022-10-28T08:13:06.3609828Z }
2022-10-28T08:13:06.4372988Z [command]/usr/bin/pwsh -Command try {
2022-10-28T08:13:06.4373309Z $ErrorActionPreference = "Stop"
2022-10-28T08:13:06.4373776Z $WarningPreference = "SilentlyContinue"
2022-10-28T08:13:06.4374132Z $output = @{}
2022-10-28T08:13:06.4374559Z Clear-AzContext -Scope Process;
2022-10-28T08:13:06.4422814Z Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;Connect-AzAccount -ServicePrincipal -ApplicationId '' -Tenant '' -FederatedToken '' -Environment 'azurecloud' | out-null;Set-AzContext -SubscriptionId '' -TenantId '***' | out-null;
2022-10-28T08:13:06.4423597Z $output['Success'] = "true"
2022-10-28T08:13:06.4423839Z }
2022-10-28T08:13:06.4510346Z catch {
2022-10-28T08:13:06.4510924Z $output['Error'] = $
.exception.Message
2022-10-28T08:13:06.4511192Z }
2022-10-28T08:13:06.4511507Z return ConvertTo-Json $output
2022-10-28T08:13:12.5383688Z {
2022-10-28T08:13:12.5384284Z "Success": "true"
2022-10-28T08:13:12.5384636Z }
2022-10-28T08:13:12.6247805Z Azure PowerShell session successfully initialized
2022-10-28T08:13:12.6248618Z Login successful.

Output from azure/powershell:

Show output 2022-10-28T08:13:12.6351560Z ##[group]Run azure/powershell@v1 2022-10-28T08:13:12.6351822Z with: 2022-10-28T08:13:12.6352208Z inlineScript: "Calling Get-AzVm" Get-AzVm "Sleep start" Start-Sleep -Seconds 660 "Sleep stop" "Calling Get-AzVm" Get-AzVm "Done"

2022-10-28T08:13:12.6352593Z azPSVersion: 8.2.0
2022-10-28T08:13:12.6352854Z errorActionPreference: Stop
2022-10-28T08:13:12.6353125Z failOnStandardError: false
2022-10-28T08:13:12.6353568Z githubToken: ***
2022-10-28T08:13:12.6353792Z env:
2022-10-28T08:13:12.6354008Z AZURE_HTTP_USER_AGENT:
2022-10-28T08:13:12.6354261Z AZUREPS_HOST_ENVIRONMENT:
2022-10-28T08:13:12.6354500Z ##[endgroup]
2022-10-28T08:13:12.8442153Z Validating inputs
2022-10-28T08:13:12.8710862Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command Test-Path (Join-Path /usr/share az_*)
2022-10-28T08:13:13.2067027Z True
2022-10-28T08:13:13.8151481Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command
2022-10-28T08:13:13.8152170Z $prevProgressPref = $ProgressPreference
2022-10-28T08:13:13.8153228Z $ProgressPreference = 'SilentlyContinue'
2022-10-28T08:13:13.8153764Z Expand-Archive -Path /usr/share/az_8.2.0.zip -DestinationPath /usr/share
2022-10-28T08:13:13.8154157Z $ProgressPreference = $prevProgressPref
2022-10-28T08:13:17.2987612Z Module Az 8.2.0 installed from hostedAgentGHRelease
2022-10-28T08:13:17.2989446Z Initializing Az Module
2022-10-28T08:13:17.3004255Z Initializing Az Module Complete
2022-10-28T08:13:17.3006143Z Running Az PowerShell Script
2022-10-28T08:13:17.3021054Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command /home/runner/work/_temp/ec0866d1-cdc6-473a-a3a8-a984c5e898ca.ps1
2022-10-28T08:13:17.5657741Z Calling Get-AzVm
2022-10-28T08:13:21.7046544Z Sleep start
2022-10-28T08:24:21.7076491Z Sleep stop
2022-10-28T08:24:21.7077432Z Calling Get-AzVm
2022-10-28T08:24:22.1724491Z 锟絒31;1mGet-AzVM: 锟絒0m/home/runner/work/_temp/ec0866d1-cdc6-473a-a3a8-a984c5e898ca.ps1:8
2022-10-28T08:24:22.1724938Z 锟絒36;1mLine |
2022-10-28T08:24:22.1725247Z 锟絒36;1m 8 | 锟絒0m 锟絒36;1mGet-AzVm锟絒0m
2022-10-28T08:24:22.1725542Z 锟絒36;1m | 锟絒31;1m ~~~~~~~~
2022-10-28T08:24:22.1725993Z 锟絒31;1m锟絒36;1m | 锟絒31;1mYour Azure credentials have not been set up or have expired, please run
2022-10-28T08:24:22.1726519Z 锟絒36;1m | 锟絒31;1mConnect-AzAccount to set up your Azure credentials. A configuration
2022-10-28T08:24:22.1727036Z 锟絒36;1m | 锟絒31;1missue is preventing authentication - check the error message from the
2022-10-28T08:24:22.1727552Z 锟絒36;1m | 锟絒31;1mserver for details. You can modify the configuration in the application
2022-10-28T08:24:22.1728095Z 锟絒36;1m | 锟絒31;1mregistration portal. See https://aka.ms/msal-net-invalid-client for
2022-10-28T08:24:22.1728901Z 锟絒36;1m | 锟絒31;1mdetails. Original exception: AADSTS700024: Client assertion is not
2022-10-28T08:24:22.1729401Z 锟絒36;1m | 锟絒31;1mwithin its valid time range. Current time: 2022-10-28T08:24:21.8673176Z,
2022-10-28T08:24:22.1729874Z 锟絒36;1m | 锟絒31;1massertion valid from 2022-10-28T08:12:29.0000000Z, expiry time of
2022-10-28T08:24:22.1730344Z 锟絒36;1m | 锟絒31;1massertion 2022-10-28T08:17:29.0000000Z. Review the documentation at
2022-10-28T08:24:22.1731256Z 锟絒36;1m | 锟絒31;1mhttps://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: 97fd40c6-56db-4450-81a4-5124da090800 Correlation ID: bf08574a-c5b8-414c-a061-10f576bcb360 Timestamp: 2022-10-28 08:24:21Z
2022-10-28T08:24:22.1731820Z 锟絒0m
2022-10-28T08:24:22.2577355Z ##[error]Error: The process '/usr/bin/pwsh' failed with exit code 1

The error in a more readable form:

Get-AzVM: /home/runner/work/_temp/ec0866d1-cdc6-473a-a3a8-a984c5e898ca.ps1:8
Line |
   8 |  Get-AzVm
     |  ~~~~~~~~
     | Your Azure credentials have not been set up or have expired, please run
     | Connect-AzAccount to set up your Azure credentials. A configuration
     | issue is preventing authentication - check the error message from the
     | server for details. You can modify the configuration in the application
     | registration portal. See https://aka.ms/msal-net-invalid-client for
     | details.  Original exception: AADSTS700024: Client assertion is not
     | within its valid time range. Current time: 2022-10-28T08:24:21.8673176Z,
     | assertion valid from 2022-10-28T08:12:29.0000000Z, expiry time of
     | assertion 2022-10-28T08:17:29.0000000Z. Review the documentation at
     | https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: 97fd[40](https://github.com/cwe1ss/msa-template/actions/runs/3343879514/jobs/5537575948#step:4:41)c6-56db-4450-81a4-5124da090800 Correlation ID: bf08574a-c5b8-[41](https://github.com/cwe1ss/msa-template/actions/runs/3343879514/jobs/5537575948#step:4:42)4c-a061-10f576bcb360 Timestamp: 2022-10-28 08:24:21Z

EDIT: I'm using Managed identities with federated credentials!

@matt-FFFFFF
Copy link
Member

matt-FFFFFF commented Oct 31, 2022

Another issue here with the token validity here, the token only being valid for 5 mins!

Using Azure/Login with Service Principal:

    subscription.go:24: cancelling subscription 1ad7747d-5335-4322-a565-392903a10534
    subscriptionDeploy_test.go:96: cannot cancel subscription: subscription 1ad7747d-5335-4322-a565-392903a10534 does not exist or cannot successfully check, cannot get subscription, DefaultAzureCredential: failed to acquire a token.
        Attempted credentials:
        	EnvironmentCredential: missing environment variable AZURE_CLIENT_ID
        	ManagedIdentityCredential: IMDS token request timed out
        	AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2022-10-31T12:44:19.4908573Z, assertion valid from 2022-10-31T11:49:11.0000000Z, expiry time of assertion 2022-10-31T11:54:11.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .

@rwaal
Copy link

rwaal commented Nov 2, 2022

We are having the exact same issue as @cwe1ss mentioned above a few days ago.

@BALAGA-GAYATRI, are you still involved with this issue? Any ideas on timelines? Thanks in advance.

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Nov 2, 2022

There are the following 2 separate issues which we are seeing being reported here -

  1. The known limitation of access-token expiry and absence of a refresh mechanism. This is one potential cause for the failure of long-running workflows which go beyond the default validity of the access-token. For the default values please check this - https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime
  2. There are a few comments on workflows failing after 5 or 10 mins for the powershell case. We have noticed that
    azure PowerShell fetches an access token from MSAL when each cmdlet execution. For client assertion (Github token), azure PowerShell stores assertion and fetches access token using the github token when each cmdlet is executed. This is causing the workflows to fail soon after the github token expires. This behavior only applies to the powershell case. In the Az CLI login, we don't observe this. We are following up with the respective teams to understand the problem better.

We are investigating this further and will post the updates here.

@kaverma kaverma added bug Something isn't working P1 Some scenario broken but workaround exists labels Nov 2, 2022
@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Nov 3, 2022

A tracking issue was opened in PowerShell for this. Link to the issue - Azure/azure-powershell#20013

@RenatoMartins-tomtom
Copy link

RenatoMartins-tomtom commented Nov 11, 2022

Just today, noticed it will fail when using CLI as well. Well, the action calls a powershell script, but in there, all the commands are CLI commands (powershell commands are not AZ-Powershell ones, only foreach, write-out, or similar ones). After going for 13 mins in a loop, it would try an

az storage blob upload --file $fileName -c $storageAccountContainer --account-name $storageAccountName -n $fileName --auth-mode login

failing with the same error

ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2022-11-11T13:57:03.8472818Z, assertion valid from 2022-11-11T13:43:07.0000000Z, expiry time of assertion 2022-11-11T13:48:07.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
Trace ID: c8ca033e-5187-40aa-8b7c-dc8c7762e300
Correlation ID: ed3e4dfc-4dbd-4096-9dfe-c855164bb964
Timestamp: 2022-11-11 13:57:03Z
Interactive authentication is needed. Please run:
az login

and there's certainly no way to use az login...

@BALAGA-GAYATRI
Copy link
Collaborator

BALAGA-GAYATRI commented Nov 15, 2022

@RenatoMartins-tomtom Please share your workflow masking sensitive information. This can help us get better idea on the issue you are facing.

@leahy268
Copy link

leahy268 commented Nov 15, 2022

Hey guys,

This is a serious problem. At the moment we are able to workaround the issue by splitting longer running PowerShell scripts up into smaller parts and logging in again.

However that isn't always possible.

Please see my better software suggestion here:

https://bettersoftwaresuggestions.com/github/github-azure-login-allow-custom-expiry-time-for-oidc-token/

@RenatoMartins-tomtom
Copy link

RenatoMartins-tomtom commented Nov 16, 2022

Sure,

here is the workflow

name: scan-assessments
on:
  schedule:
    - cron: '0 6 * * *' # every day at 6:00
  workflow_dispatch:
permissions:
      id-token: write
      contents: read
jobs:
  pull-list-of-failed-assessments:
    runs-on: ubuntu-latest
    steps:

    - name: Checkout self
      uses: actions/checkout@v2

    - name: Login to Azure 
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        allow-no-subscriptions: true
    
    - name: Scan subscriptions for compliance
      shell: pwsh
      env:
        TENANT_ID: xyz
        STORAGE_ACCOUNT_NAME: 'pimcompliancedata'
        STORAGE_CONTAINER_NAME: 'defender-for-cloud-daily-scan-results'
        
      run: |
        .\scripts\scan-defender-assessments.ps1 -storageAccountName $env:STORAGE_ACCOUNT_NAME -storageAccountContainer $env:STORAGE_CONTAINER_NAME

The script it calls is below, Note it is purely cli based (powershell is only used as a scripting language, no Az-ps commands are ever called). Eventually fails after 10+ mins. The ones that use any az-ps commands will fail for sure:

[CmdletBinding()]
param(
    [Parameter(Mandatory = $true)]
    [string]$storageAccountName,

    [Parameter(Mandatory = $true)]
    [string]$storageAccountContainer

)

$date = (get-date).ToString("yyyy-MM-dd")
$fileName = "$date-defender-for-cloud-assessment-scan.csv"

# token valid until Jan 1st, 2023, allowing read, create and write for blobs.
$sasToken = "token"

az config set extension.use_dynamic_install=yes_without_prompt

# hard-coded values, as the standard has a single control, called 1
$stdName = "std"
$controlName = "1"

$subscriptions = az account list | ConvertFrom-Json
$output = @()
$output += "stage, bu, pu, team, subscriptionName, subscriptionId, passedAssessmentCount, failedassessmentCount, failedAssessmentDescription, failedAssessmentPassedResources, failedAssessmentSkippedResources, failedAssessmentFailedResources,"
$i = 0 
$total = $subscriptions.count
foreach ($subs in $subscriptions) {
	$i++
	"$i of $total"
	az account set --subscription $subs.id
	$cmdOutput =  az security regulatory-compliance-controls list --standard-name $stdName
	if ($cmdOutput -notlike "ERROR: *") {
		$mgHierarchy = (az graph query -q "ResourceContainers | where type =~ 'microsoft.resources/subscriptions' | extend mgParent = properties.managementGroupAncestorsChain | mv-expand with_itemindex=MGHierarchy mgParent | project subscriptionId, name, mgParent, MGHierarchy, mgParent.name" --subscriptions $subs.id | ConvertFrom-Json).data
		$mgName = $mgHierarchy.mgParent_name
		$prodNonProd = $mgName[$mgName.count - 3]
		$bu =  $mgName[$mgName.count - 4]
		$pu =  $mgName[$mgName.count - 5]
		$team = $mgName[$mgName.count - 6]
	

		$compliance = $cmdOutput | convertfrom-Json
		$line = """$prodNonProd"", ""$bu"", ""$pu"", ""$team"", ""$($subs.name)"", $($subs.id), $($compliance.passedassessments), $($compliance.failedassessments)"
		$assessments = az security regulatory-compliance-assessments list --control-name $controlName --standard-name $stdName
		$assessments = $assessments | convertfrom-json	
		$failedAssessments = $assessments | where {$_.state -eq "Failed"}
		foreach ($failedAssessment in $failedAssessments) {
			$line += "$($subs.name), $($subs.id), $($compliance.passedassessments), $($compliance.failedassessments),"
			$line += """$($failedAssessment.Description)"", $($failedAssessment.passedResources), $($failedAssessment.skippedResources), $($failedAssessment.failedResources)"
			$output += $line
		}
		
	}
}
$output | Out-File -FilePath $fileName

az storage blob upload --file $fileName -c $storageAccountContainer --account-name $storageAccountName -n $fileName --sas-token $sasToken 

@BALAGA-GAYATRI BALAGA-GAYATRI added external and removed P1 Some scenario broken but workaround exists labels Nov 16, 2022
@N-Usha N-Usha added the P1 Some scenario broken but workaround exists label Nov 29, 2022
@N-Usha N-Usha assigned dcaro and chasewilson and unassigned BALAGA-GAYATRI Nov 29, 2022
@N-Usha
Copy link
Contributor

N-Usha commented Nov 29, 2022

Looping in @dcaro and @chasewilson from Azure PowerShell team, who are exploring a resolution for this issue in Az PS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working enhancement New feature or request external oidc P1 Some scenario broken but workaround exists
Projects
None yet
Development

No branches or pull requests