AZ commands won't work if run within a docker container

[Israphel]

I have successfully logged in to Azure by using OIDC:

permissions:
  contents: read
  id-token: write

[...]

steps:
  - name: Checkout code
    uses: actions/checkout@v4

  - name: Configure Azure credentials
    uses: azure/login@v1.4.7
    with:
      client-id: #######
      tenant-id: #######
      subscription-id: #######

and AZ works fine after that step if I run them directly with azure/CLI@v1 or just by typing az commands.

however, if I create a basic github action that uses the docker container mcr.microsoft.com/azure-cli and I try to run commands right after the login, I get:

ERROR: Please run 'az login' to setup account.

what's the trick to run custom github actions that depend on the login? is this action exposing the required ENV VARS which are needed? I know for a fact that my client id has enough permissions since inline az commands works, but that forces me to only use "composite" actions and not Docker actions.

[YanaXu]

Hi @Israphel , when you run az in a docker container, it means an independent and isolated env, unless you share the host settings with it. You can refer to the implementation of Azure CLI Action.

[Israphel]

I'm not talking about running the whole job in a docker container, I'm talking about a github action that is written as a docker container, with the following lines inside action.yaml:

runs:
  using: 'docker'
  image: 'Dockerfile'

which is a common practice.

The azure CLI action is node16 and not docker so I can't use it as a reference.

The question is: are docker actions supported after using this azure/login action ?

[MoChilia]

Hi @Israphel, yes, docker actions are supported after using Azure/Login. When you sign in with a user account, Azure CLI generates and stores an authentication refresh token in the ~/.azure folder. To ensure a valid login, please volume mount ~/.azure folder between host and container. You can refer to the example at
https://github.com/Azure/cli/blob/1828f1caeefdc0631b30ab61f3c624b115f58c93/src/main.ts#L61.
Actually, Azure/CLI action leverages a Docker container to execute the az commands. For simplicity, you can consider using it directly.

[Israphel]

Even tho that action uses docker commands inside, it is still a typescript action and not a docker action, so it doesn't really answer my question.

We have develop an action using the azure sdk for python (not the cli) and it will be nice to run it as a docker action.

Why don't the azure login action expose env vars rather than storing the credentials to .azure? similar to how the workload identity in AKS works.

Is there an example of a real docker action running after azure login?

[YanaXu]

@Israphel Azure Login Action is based on Azure CLI and Azure PowerShell, which are 2 popular Azure Client tools. If you are using Azure SDK for python, that means you are implementing your own client tool, which is out of the scope of Azure Login Action, or Azure CLI. In that case, I suggest you to login with Azure SDK directly.
To be honest, "Why don't the azure login action expose env vars rather than storing the credentials to .azure? similar to how the workload identity in AKS works." is not a question. It's a big feature request for Azure CLI and Azure Login Action, which is not in the plan as far as I know.

[Israphel]

Using the SDK is completely normal, why would we develop an action writing a wrapper around azure cli while the official sdks exist?

anyway, the conclusion is clear: Actions made with docker are not compatible with this login action.

Any other action that calls docker run and mount .azure works, but real docker actions don't.