OidcClient.getCall failing in self-hosted Runners.

[Powertrain]

https://github.com/Azure/login/blob/6c251865b4e6290e7b78be643ea2d005bc51f69a/lib/main/index.js#L565C40-L565C50

Environments

• GHES 3.11.5 in an Azure VM along with,
• a self-hosted runner in an Azure VM with the software provided by the GHES instance.

Issue:

• when used on a self-hosted runner, the job is unable to access the id-token variable's permissions. id-token has been set to both Write and Write-All in many iterations of the job to no success. Please make sure to give write permissions to id-token in the workflow.
• the azure/login v2.1.1 action fails at line 570, the try-catch sends back Login failed with Error: Error message: Cannot read properties of undefined (reading 'message'). Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
• the OIDC token URL appears to be generated , but
• it fails at line 565: const id_token = yield OidcClient.getCall(id_token_url);

Is this a failure on the runner side, or a federated credential issue on the other end?

Thanks for any assistance.

[YanaXu]

Hi @Powertrain , please try the steps in #283 (comment).

[Powertrain]

@YanaXu Thanks for the response!

Following the advice from #283

• Both endpoints are available from the internet.
• They are available when using a curl - v command from the runner machine.

However this still results in a failed run with the following information:

• The id_token_url (Line 559) variable , when visited via a browser from my machine, or curl -v from the gitRunner machine is always the same response: The user 'System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.

[YanaXu]

Hi @Powertrain, could you raise your question to this repo: https://github.com/actions/toolkit ?
This is the GitHub Action toolkit repo which Azure Login Action depends on.

[Powertrain]

@YanaXu

https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js

Line: 545-546

Both ${error.statusCode} & ${error.result.message} are null. This causes the action to give a result of Error message: Cannot read properties of undefined (reading 'message')..

After branching my own version and changing the the output to Error Code : ${error} gives me an output:

Error: unable to verify the first certificate

Thanks for any assistance going forward.

[Powertrain]

@YanaXu

https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js

I am running into further issues with v2.1.1

Line: 4004 yield this.executeAzCliCommand(["--version"], true, execOptions); fails over and over again, The process '/usr/local/bin/az' failed with exit code 1.

When the line is commented out, the subsequent executeAzCliCommand commands will Successfully set the Azure environment.

Would you recommend swapping the version of Azure/Login I am using?

[YanaXu]

@YanaXu

https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js

I am running into further issues with v2.1.1

Line: 4004 yield this.executeAzCliCommand(["--version"], true, execOptions); fails over and over again, The process '/usr/local/bin/az' failed with exit code 1.

When the line is commented out, the subsequent executeAzCliCommand commands will Successfully set the Azure environment.

Would you recommend swapping the version of Azure/Login I am using?

@Powertrain could you run az --version --debug directly on your VM and send us the result?

[Powertrain]

@YanaXu

Thanks for the response!

Upgrading from azure-cli2.39 to azure-cli2.63 will run action/[email protected] again once complete.