MSAL Token Cache Multiple Token Problem - Enterprise Azure Account

[siddallhotmail]

SUMMARY

Whilst using an enterprise azure login (multiple subscriptions under a single tenant). The auth_sources property when set to use CLI fails with User 'xx' does not exist in MSAL token cache.

Using a standard azure subscription / 1-2-1 logon the azure modules work fine.

I suspect that this is because of the multiple tokens I obtain when logging in using the (now depreciated) function in azure_rm_common.py

self.log('Retrieving credentials from Azure CLI profile')
cli_credentials = self._get_azure_cli_credentials(subscription_id=params.get('subscription_id'))
return cli_credentials

Which in turn calls get_cli_profile() which is part of the azure-sdk-for-python

These functions are depreciated now ... and the documentation suggests moving to the Azure Identity client library for Python.

https://docs.microsoft.com/en-us/python/api/azure-common/azure.common.credentials?view=azure-python

I think the crux of the issue is that due to the multiple tokens received when using the AZ LOGIN command, we would need to be able to specify the subscription ID and tenant ID to correctly obtain the token from the cache.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_common.py

ANSIBLE VERSION

ansible [core 2.13.1]
  config file = /home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg
  configured module search path = ['/home/g3.martin.siddall@hosting.civica.com/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/g3.martin.siddall@hosting.civica.com/ansible_stable/lib/python3.8/site-packages/ansible
  ansible collection location = /home/g3.martin.siddall@hosting.civica.com/ccsautomation/00_common/shared/resources/collections
  executable location = /home/g3.martin.siddall@hosting.civica.com/ansible_stable/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

azure.azcollection            1.12.0 

CONFIGURATION

COLLECTIONS_PATHS(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = ['/home/g3.martin.siddall@hosting.civica.com/ccsautomation/>
DEFAULT_FORKS(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = 30
DEFAULT_HOST_LIST(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = ['/home/g3.martin.siddall@hosting.civica.com/ccsautomation/>
DISPLAY_SKIPPED_HOSTS(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = False
HOST_KEY_CHECKING(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = False
LOCALHOST_WARNING(/home/g3.martin.siddall@hosting.civica.com/ccsautomation/05_provision_developer/ansible.cfg) = False

OS / ENVIRONMENT

Ubuntu 20.04

STEPS TO REPRODUCE

You will require a AZ Login which has multiple tenants under the same subscription id.

Example of tokens obtained when logging in., you will note tenant id is the same ... but has multiple subscriptions.

  {
    "cloudName": "AzureCloud",
    "id": "xxxxxxx-8ec9-4bf7-8f4f-fba9ed4069ed",
    "isDefault": true,
    "name": "Visual Studio Professional",
    "state": "Enabled",
    "tenantId": "xxxxxxx-727e-413f-b5b8-cd0f27c02b6b",
    "user": {
      "name": "example.user@test.domain",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "xxxxxxx-9d7d-4450-901a-e16f09f9fd1a",
    "isDefault": false,
    "name": "Visual Studio Professional",
    "state": "Enabled",
    "tenantId": "xxxxxxx-727e-413f-b5b8-cd0f27c02b6b",
    "user": {
      "name": "example.user@test.domain",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "xxxxxxx-5cad-4521-99f6-3d7ad1d8a384",
    "isDefault": false,
    "name": "Visual Studio Professional",
    "state": "Enabled",
    "tenantId": "xxxxxxx-727e-413f-b5b8-cd0f27c02b6b",
    "user": {
      "name": "example.user@test.domain",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "xxxxxxx-016a-43ee-8bd4-ce97f73afc27",
    "isDefault": false,
    "name": "Visual Studio Professional",
    "state": "Enabled",
    "tenantId": "xxxxxxx-727e-413f-b5b8-cd0f27c02b6b",
    "user": {
      "name": "example.user@test.domain",
      "type": "user"
    }
  }
]

Running the following module against the localhost.

azure_rm_resourcegroup_info:
      auth_source: cli
      subscription_id: xxxxx-5cad-4521-99f6-3d7ad1d8a384
      tenant: xxxxx-727e-413f-b5b8-cd0f27c02b6b

EXPECTED RESULTS

Azure CLI profile cannot be loaded - User 'xxxx' does not exist in MSAL token cache.

[Fred-sun]

@martinpsiddall If you use 'az login', can you specify the subscription_id you want to use and retry? Thank you very much!

az login
az account set -s *************

[Fred-sun]

kindly ping!

[siddallgoogle]

Apologies Fred, been away on holiday.

Unfortunately the suggested work-around presents the same MSAL error.

[siddallgoogle]

Any further suggestions / debugging I can do ?

[Fred-sun]

@MartinSiddall After you log in, you need to specify which account subscription you use, such as "az account set-s sub_use_id". Thank you!

[siddallgoogle]

Hi Fred this was the same suggested az login commands you made on the 14th July.

As per my previous reply this has the same MSAL login error

Azure CLI profile cannot be loaded - User 'xxxx' does not exist in MSAL token cache. Run az login."

[Fred-sun]

"****" means the subscription ID you want to use. Thank you very much!

[siddallgoogle]

I have no idea what you're referring to the User 'xxxx' bit is me removing my email address.

I have tried the command you've suggested but they result in the same error.

14th July

az login
az account set -s *************

Does not work.

Today, the same command in your comment is basically the same suggestion as the 14th of July.

"az account set-s sub_use_id"

Again results in the MSAL error.

Thanks.

[Fred-sun]

I would like to know the ID after "az account set -s" that you specified to execute, and did you execute this command successfully?

[siddallgoogle]

The command worked fine, with the relevant subscription ID.

Again I've obfuscated the beginning of the ID from the first post as this is a public site.

az login
az account set -s xxxxxxx-9d7d-4450-901a-e16f09f9fd1a

As an example.

Thanks

[Fred-sun]

I will try again, Multiple accounts for one tenant.

[siddallgoogle]

Yep thats what we / the team will have.

Just as a FYI using an incorrect subscription id results in

The subscription of 'xxxx' doesn't exist in cloud 'AzureCloud'.

So the set -s works fine.

Additionally the az account show ... also shows the correct subscription ID ... active subscription.