Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AZ commands won't work if run within a docker container #362

Open
Israphel opened this issue Oct 30, 2023 · 6 comments
Open

AZ commands won't work if run within a docker container #362

Israphel opened this issue Oct 30, 2023 · 6 comments
Assignees
Labels
question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@Israphel
Copy link

Israphel commented Oct 30, 2023

I have successfully logged in to Azure by using OIDC:

permissions:
  contents: read
  id-token: write

[...]

steps:
  - name: Checkout code
    uses: actions/checkout@v4

  - name: Configure Azure credentials
    uses: azure/[email protected]
    with:
      client-id: #######
      tenant-id: #######
      subscription-id: #######

and AZ works fine after that step if I run them directly with azure/CLI@v1 or just by typing az commands.

however, if I create a basic github action that uses the docker container mcr.microsoft.com/azure-cli and I try to run commands right after the login, I get:

ERROR: Please run 'az login' to setup account.

what's the trick to run custom github actions that depend on the login? is this action exposing the required ENV VARS which are needed? I know for a fact that my client id has enough permissions since inline az commands works, but that forces me to only use "composite" actions and not Docker actions.

@Israphel Israphel added the need-to-triage Requires investigation label Oct 30, 2023
@YanaXu
Copy link
Collaborator

YanaXu commented Oct 31, 2023

Hi @Israphel , when you run az in a docker container, it means an independent and isolated env, unless you share the host settings with it. You can refer to the implementation of Azure CLI Action.

@Israphel
Copy link
Author

I'm not talking about running the whole job in a docker container, I'm talking about a github action that is written as a docker container, with the following lines inside action.yaml:

runs:
  using: 'docker'
  image: 'Dockerfile'

which is a common practice.

The azure CLI action is node16 and not docker so I can't use it as a reference.

The question is: are docker actions supported after using this azure/login action ?

@MoChilia
Copy link
Member

MoChilia commented Nov 1, 2023

Hi @Israphel, yes, docker actions are supported after using Azure/Login. When you sign in with a user account, Azure CLI generates and stores an authentication refresh token in the ~/.azure folder. To ensure a valid login, please volume mount ~/.azure folder between host and container. You can refer to the example at
https://github.com/Azure/cli/blob/1828f1caeefdc0631b30ab61f3c624b115f58c93/src/main.ts#L61.
Actually, Azure/CLI action leverages a Docker container to execute the az commands. For simplicity, you can consider using it directly.

@MoChilia MoChilia added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that and removed need-to-triage Requires investigation labels Nov 1, 2023
@Israphel
Copy link
Author

Israphel commented Nov 1, 2023

Even tho that action uses docker commands inside, it is still a typescript action and not a docker action, so it doesn't really answer my question.

We have develop an action using the azure sdk for python (not the cli) and it will be nice to run it as a docker action.

Why don't the azure login action expose env vars rather than storing the credentials to .azure? similar to how the workload identity in AKS works.

Is there an example of a real docker action running after azure login?

@YanaXu
Copy link
Collaborator

YanaXu commented Nov 7, 2023

@Israphel Azure Login Action is based on Azure CLI and Azure PowerShell, which are 2 popular Azure Client tools. If you are using Azure SDK for python, that means you are implementing your own client tool, which is out of the scope of Azure Login Action, or Azure CLI. In that case, I suggest you to login with Azure SDK directly.
To be honest, "Why don't the azure login action expose env vars rather than storing the credentials to .azure? similar to how the workload identity in AKS works." is not a question. It's a big feature request for Azure CLI and Azure Login Action, which is not in the plan as far as I know.

@Israphel
Copy link
Author

Israphel commented Nov 9, 2023

Using the SDK is completely normal, why would we develop an action writing a wrapper around azure cli while the official sdks exist?

anyway, the conclusion is clear: Actions made with docker are not compatible with this login action.

Any other action that calls docker run and mount .azure works, but real docker actions don't.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Development

No branches or pull requests

3 participants