-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure CLI task fails with AADSTS700024
after 5 minutes
#28737
Comments
WorkaroundsAdopt either workarounds:
|
We plan to fix this issue in the next Azure CLI release: https://github.com/Azure/azure-cli/milestone/141
For now, to get unblocked, please follow the instructions at #28737 (comment). |
@jiasli Thank you for the update. Just for clarity, what, specifically, will get fixed? Will we still need the code to continue requesting the OID token in the background or will we just need to use Azure CLI 2.60.0? |
Is it possible to release this as a patch fix sooner? This potentially impacts every use of the Also, the workaround only works if you're using the |
@jiasli would it be possible to release this in a patch fix? |
@jiasli is there anyway to promote this as a hotfix so releases that rely on az cli can work again? The current time limit is braking a lot of builds :( |
@jiasli is working on the new build right now. |
Awesome! Any ETA for this release? |
Is there any workaround for Azure/login@v2.1.0 while the hot fix makes it to production, since there doesn't seem to be a way to change the cli version this action uses? |
Service principal with a secret is not feasible for our case, due to issues transmitting and storing the value. Changing azure/cli version is not feasible due to using azure/login and azure/powershell only |
This 5-minute-expiration issue only affects |
Build to Cloud Shell: 04/25/2024 |
This is quite a problematic issue for us and makes service connections based on Workload Identity federation unusable. Please add a test suite for regression so that it doesn't happen again. |
The issue also happens with Azure PowerShell on the latest MS Hosted Azure DevOps agents, example:
Also |
Can I fetch the Cloud build to ingest it in a pipeline decorator? |
Azure CLI 2.60.0 has been released just now with this issue fixed: https://github.com/Azure/azure-cli/blob/dev/src/azure-cli-core/HISTORY.rst#2600
The rollout status for Azure CLI on GitHub Actions and Azure DevOps images can be found at https://github.com/actions/runner-images |
@jiasli, Even after upgrading to Azure CLI 2.60.0, I am facing the same issue. I am running the Azure CLI task from Azure devops and it expires after 10 mins and I get Since the images still uses 2.59.0, I do |
+1 |
@bcarthic, are you requesting a data-plane access token? If so, please see #28708 (comment). |
@jiasli |
Azure CLI 2.60.0 has been deployed to GitHub Actions and Azure DevOps images: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#cli-tools |
MSAL introduced a regression in 1.27.0 (AzureAD/microsoft-authentication-extensions-for-python#127, AzureAD/microsoft-authentication-library-for-python#644) which is adopted by Azure CLI 2.59.0 (#28556).
This regression makes MSAL's
ConfidentialClientApplication
bypassmsal_extensions.token_cache.PersistedTokenCache
, so access tokens are no longer retrieved from the token cache. Instead, every command now retrieves a new access token from the AAD Security Token Service (STS). Any commands fails withAADSTS700024
after the ID token expires (5 minutes on GitHub Actions, 10 minutes on Azure DevOps).Originally posted by @jiasli in #28708 (comment)
The text was updated successfully, but these errors were encountered: