-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: AzureCLI@2 az login fails when using certificate for authentication starting from version 2.67.0 of Azure CLI #20672
Comments
I am experiencing the same issue. Is there any way to downgrade azure cli to prior version? |
@NakagawaMakoto : Azure CLI has no downgrade functionality but you can uninstall it and install the desired version (2.66.0) instead. |
Yes, of course, it is me who is responsible for the version of azcli on the pipeline agent's host. I should have known better. Thank you for reminding me of the fact. |
To work around this issue we added this step to our builds. Would love to see the issue fixed though!
|
This is breaking user pipelines on our side, this should be fixed asap. |
As a workaround, adding this task should help on windows host - powershell: |
wmic product where "name='Microsoft Azure CLI (64-bit)'" call uninstall /nointeractive
Invoke-WebRequest -Uri https://azcliprod.blob.core.windows.net/msi/azure-cli-2.66.0-x64.msi -OutFile .\AzureCLI.msi;
Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet';
displayName: Downgrade azure CLI |
Thanks for this--I wasn't having much luck with the In the interim, I've added Federated Credentials to the App Registration in Entra ID, then associated that with a new Service Connection in AzDO, and that works with no issues--pipelines are back to being speedy. The great part about this method (thus far) is that because it's the same AppID it uses the same Service Principal (Enterprise Apps in EID), so you don't have to go update the RBAC for every resource. For those who haven't done this before, here's a quick rundown of how to do it:
|
@robkendrick - What you said is partially a workaround. It doesn't work out for MSPs since one app registration can only have 20/30 federated credential. Whenever you create a service connection it will take up one federated credential. Let's say if someone wants to manage multiple tenants then it wouldn't work because of restriction on the number of federated credential an app registration can have. |
Hi @KKing299 |
Hi @jan-msc @RichieBzzzt @NakagawaMakoto @robkendrick |
Hi @v-schhabra , it's working for us now. |
@v-schhabra can you please review this other item? |
@v-schhabra Can someone please look at #20722 ? |
Starting from version 2.67.0, for
az login
,--password
no longer accepts service principal certificate. Use--certificate
to pass a service principal certificate.AzureCLI@2 does not use the
--certificate
parameter to pass the service principal certificate resulting in:ERROR: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'. The error may be caused by passing a service principal certificate with --password. Please note that --password no longer accepts a service principal certificate. To pass a service principal certificate, use --certificate instead.
The text was updated successfully, but these errors were encountered: