Skip to content

Unable to decrypt Az CLI cred in ADO pipeline task #27428

Open
Open
Unable to decrypt Az CLI cred in ADO pipeline task#27428
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamService AttentionThis issue is responsible by Azure service team.act-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Description

@syedhamjath
syedhamjath
opened on Sep 19, 2023

Describe the bug

Unable to decrypt Az CLI cred in ADO pipeline task

Related command

It seems az login command is failing

Errors

PFA - Full log of task execution

Issue script & Debug output

PFA - Full log of task execution

Expected behavior

Using ADO - task: AzureCLI@2 az login needs to be successful with option addSpnToEnvironment: true

Environment Summary

azure-cli 2.52.0

core 2.52.0
telemetry 1.1.0

Extensions:
azure-devops 0.26.0

Dependencies:
msal 1.24.0b1
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Program Files\Common Files\AzureCliExtensionDirectory'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

Below task is executed in a pool with more than one agent and it is utilized by more than few, I often get the error message : Key not valid for use in specified state.. App developer may consider this guidance:

dev.azure.com.txt

- task: AzureCLI@2
    displayName: 'Set credentials (RG SPN) for PrivilegedContext'
    inputs:
      azureSubscription:  ${{parameters.arm_service_connection}}
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      addSpnToEnvironment: true
      useGlobalConfig: true
      inlineScript: |
        $azure_tenant_id = $env:tenantId
        Write-host "Variable name azure_tenant_id is set with Azure AD Tenant ID"
        Write-host "##vso[task.setvariable variable=azure_tenant_id;issecret=true]$azure_tenant_id"

        $azure_client_id = $env:servicePrincipalId
        Write-host "Variable name azure_client_id is set with resource group SPN Client ID"
        Write-host "##vso[task.setvariable variable=azure_client_id;issecret=true]$azure_client_id"

        $azure_client_secret = $env:servicePrincipalKey
        Write-host "Variable name azure_client_secret is set with resource group SPN credentials"
        Write-host "##vso[task.setvariable variable=azure_client_secret;issecret=true]$azure_client_secret"

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamService AttentionThis issue is responsible by Azure service team.act-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions