Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OidcClient.getCall failing in self-hosted Runners. #1787

Open
Powertrain opened this issue Aug 7, 2024 · 0 comments
Open

OidcClient.getCall failing in self-hosted Runners. #1787

Powertrain opened this issue Aug 7, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@Powertrain
Copy link

Coming from this post: Azure/login#477

Environments

  • GHES 3.11.5 in an Azure VM along with,
  • a self-hosted runner in an Azure VM with the software provided by the GHES instance.

Issue:

  • When Azure/login is used on a self-hosted runner, the job is unable to access the id-token variable's permissions. id-token has been set to both Write and Write-All in many iterations of the job to no success. Please make sure to give write permissions to id-token in the workflow.
  • the azure/login v2.1.1 action fails at line 570, the try-catch sends back Login failed with Error: Error message: Cannot read properties of undefined (reading 'message'). Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.
  • the OIDC token URL appears to be generated , but
  • it fails at line 565: const id_token = yield OidcClient.getCall(id_token_url);

Following advice from this post: Azure/login#283

  • Both endpoints are available from the internet.
  • They are available when using a curl - v command from the runner machine.

However this still results in a failed run with the following information:

The id_token_url (Line 559) variable , when visited via a browser from my machine, or curl -v from the gitRunner machine is always the same response: The user 'System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.
The person assigned to my issue suggested I bring this up here.
Thanks for any assistance.

@Powertrain Powertrain added the bug Something isn't working label Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant