Skip to content

[BUG]: AzureCli task fails to authenticate to service connection when multiple managed identities are assigned. #20335

New issue
New issue
Closed
Closed
[BUG]: AzureCli task fails to authenticate to service connection when multiple managed identities are assigned.#20335
Labels
Area: Releasebugtriage
@craigthackerx

Description

@craigthackerx
craigthackerx
opened on Aug 21, 2024

New issue checklist

Task name

AzureCLI

Task version

2

Issue Description

Based on user @teeroddesigns issue here. There is a bug when assigning multiple user assigned managed identities to a Windows and Linux VM with the Azure CLI task.

Steps to recreate:

  1. Create a service connection to Azure Resource Manager using managed identity
  2. Provide details etc and setup succssfully
  3. Add this managed identity to your VM running the Azure DevOps agent, along with an addtional, unrelated managed identity.
  4. Run the AzureCli task,, you will see the errors:
ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
##[error]Error Code: [1]
Get Token request returned http error: 400, reason: Bad Request
##[error]Error: Azure login failed using Managed Service Identity
##[error]Script failed with error: ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request

##[error]Script failed with error: ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request

To validate this, I went ahead and removed the unrelated managed identity from my VM, meaning only managed identity to the corresponding service connection, and it works:

[
  {
    "environmentName": "AzureCloud",
    "homeTenantId": "xxx",
    "id": xxx",
    "isDefault": true,
    "managedByTenants": [],
    "name": "xxx",
    "state": "Enabled",
    "tenantId": "xxx",
    "user": {
      "assignedIdentityInfo": "MSI",
      "name": "systemAssignedIdentity",
      "type": "servicePrincipal"
    }
  }
]

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu22.04

Relevant log output

ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
##[error]Error Code: [1]
Get Token request returned http error: 400, reason: Bad Request
##[error]Error: Azure login failed using Managed Service Identity
##[error]Script failed with error: ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request

##[error]Script failed with error: ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request

Full task logs with system.debug enabled

No response

Repro steps

  1. Create a service connection to Azure Resource Manager using managed identity
  2. Provide details etc and setup succssfully
  3. Add this managed identity to your VM running the Azure DevOps agent, along with an addtional, unrelated managed identity.
  4. Run the AzureCli task,, you will see the errors:

No response

Metadata

Assignees

No one assigned

    Labels

    Area: Releasebugtriage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions