Have you encountered the error mentioned in the subject line before?, I'm intrigued by it and unable to a solution. Here are the steps I executed to create a service principal
az login
-- Gives me a device code to enter in browser
Login to az non-interactively
az account set --subscription="xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Check correct account by
az account show
Create a SP
az ad sp create-for-rbac -n "tf-authenticator" --role contributor
Run terraform plan as like below:
[jim#rhel75 msdn]$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
azurerm_resource_group.tf-rg-cluster-sql: Refreshing state... os_profile_windows_config.1060902566.enable_automatic_upgrades: "true"
Plan: 28 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
Now, I run terraform again and I get error that No authorization token found!
[jim#rhel75 msdn]$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
Error: Error refreshing state: 1 error(s) occurred:
* provider.azurerm: Error building AzureRM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using `az login`.
Note, I tested and same behavior exhibits on
1. CentOS 7.6
2. Ubuntu 16.04
3. Azure Pipelines Release Pipeline (Which utilizes Ubuntu 16.04 agent)
Update: I encounter a weird error when I try to create a SP. I have already my default subscription but still run the below command and receive error:
az ad sp create-for-rbac -n "tf-authenticator" --role="Contributor" --scopes="/subscriptions/xxxxxxxxxxxxxxxxxxx"
Error message:
Changing "tf-authenticator" to a valid URI of "http://tf-authenticator", which is the required format used for service principal names
Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'bd58677d-d0a4-46a5-9b5a-02c6662ae149' was not found in the directory '055b56f0-423b-4b1a-b6bc-6ae09ab61485'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: cc58c97b-2247-4bf7-ab6c-7d1b993f0b00\r\nCorrelation ID: 42540a48-7d44-494b-9dc2-a8dd9d6c10b7\r\nTimestamp: 2019-03-14 00:46:49Z","error_codes":[700016],"timestamp":"2019-03-14 00:46:49Z","trace_id":"cc58c97b-2247-4bf7-ab6c-7d1b993f0b00","correlation_id":"42540a48-7d44-494b-9dc2-a8dd9d6c10b7","error_uri":"https://login.microsoftonline.com/error?code=700016"}
I have further drilled down that this has to do something with azure tokens, as I can create a VM instances with Azure CLI itself, please see evidence below:
az vm create --resource-group "myResourceGroup" --name "myVM" --image "Win2016Datacenter" --admin-username "Demouser" --admin-password "Demouser#123" --use-unmanaged-disk --location "Australia Southeast"
Azure Error: InvalidTemplateDeployment
Message: The template deployment failed with error: 'The resource with id: '/subscriptions/11855b5b-484f-4104-b77b-a73eb8cd74dc/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM' failed validation with message: 'The requested size for resource '/subscriptions/11855b5b-484f-4104-b77b-a73eb8cd74dc/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM' is currently not available in location 'australiasoutheast' zones '' for subscription '11855b5b-484f-4104-b77b-a73eb8cd74dc'. Please try another size or deploy to a different location or zones. See https://aka.ms/azureskunotavailable for details.'.'.
It did not launched a VM but at least its clear that it was able to proceed should size would have been right.
Can you please try to follow this documentation - https://learn.microsoft.com/en-us/azure/developer/terraform/get-started-cloud-shell-bash?tabs=bash
You need to create environment variables in order to deploy azure portal
One more thing - you need to have environment variables in .tf file
I would suggest you to not store the secrets in plain text
If you are using azure devops pipeline to deploy you can store it in the keyvault or in variables
If you are using terraform cloud with workspaces you can store it in variables
Related
We are using the Sonarcloud plugin in Azure DevOps. Suddenly, we get the following error in our build pipeline:
##[error]ERROR: Error during SonarScanner execution ERROR: Project not found. Please check the 'sonar.projectKey' and 'sonar.organization'
properties, the 'SONAR_TOKEN' environment variable, or contact the
project administrator ERROR: ERROR: Error during SonarScanner
execution ERROR: Project not found. Please check the
'sonar.projectKey' and 'sonar.organization' properties, the
'SONAR_TOKEN' environment variable, or contact the project
administrator ERROR:
##[error]The SonarScanner did not complete successfully The SonarScanner did not complete successfully
##[error]09:51:19.094 Post-processing failed. Exit code: 1 09:51:19.094 Post-processing failed. Exit code: 1
##[error]The process '/usr/bin/dotnet' failed with exit code 1
Authentication is done with ServiceConnections and the token verification is still valid. I also tried to use a new SonarCloud Authentication token for the ServiceConnection. We haven't changed anything in the infrastructure or on the SonarCloud platform, and it was working fine 5 days ago.
I tried to set Administration / Permission / Execute Analysis to "Anyone" (also checked all users) without success.
Any ideas?
The PAT (Personal Access Token) has expired.
Create one in Azure DevOps and add it Administration / Organization settings / Azure DevOps connectivity management / New Personal Access Token
Note: I had to abandon my Pull-Request and create a new one after using the new PAT.
I would like to see this more clearly indicated on the platform (e.g. by an info bar at the top of the platform)
Was working on az ml cli v2 to deploy real-time endpoint with command az ml online-deployment through Azure pipeline. had double confirmed that the service connection used in this pipeline task had added the permissions below in Azure Portal but still showing the same error.
ERROR: Error with code: You don't have permission to alter this storage account. Ensure that you have been assigned both Storage Blob Data Reader and Storage Blob Data Contributor roles.
Using the same service connection, we are able to perform the creation of online endpoint with az ml online-endpoint create in the same and other workspaces.
Issue was resolved. I did not change anything in the service principal and running it on second day using same yml got through the issue. I guess there might be some propagation issue, but longer than usual.
I'm getting this weird error in azure pipelines. We use a ACR to supply our base images and we connect to this using a service connection which works well most of the time. However occasionally we get an error:
/usr/bin/docker pull /base-images/python:3.7-buster-vanilla
Error response from daemon: Get https:///v2/base-images/python/manifests/3.7-buster-vanilla: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
There does not seem to be any clear explanation for this because when we perform a retry of the specific task this works fine.
We have no separate login to the acr and we only define the connection that needs to be used in the job itself:
container:
image: servers.azurecr.io/base-images/python:3.7-buster-vanilla
endpoint: server-Service-Connection
I have been looking at the build logs but was not able to get any usefull information from there. If any additional information is needed i would of course be happy to supply it.
I fixed this error using the Azure CLI az acr login --name *registry-name* Solution explained here at Azure Registry troubleshooting docs
I think you may be running into a Docker Hub issue. We're experiencing this intermittently in our CI (not Azure) during regular pulls for python images.
From https://status.docker.com/pages/history/533c6539221ae15e3f000031
February 3, 2021 5:21PM
UTC[Investigating] A number of users may experience problems logging into Docker Hub.
I have a Windows 10 Enterprise VM running an Azure Devops Agent in Interactive mode. The agent runs using the only user the machine has, and it is an Administrator with UAC disabled. However, when executing tasks that require an elevated command prompt, as registering dlls, the command fails with the following error message:
##[error]Cmd.exe exited with code '5'.
And this message is when I'm trying to COPY files into Windows\SysWow64
##[error]Error: Failed cp: cp: copyFileSync: could not write to dest file (code=EPERM):C:\windows\SysWow64\test.txt
My testes also fail with the following error message:
Test method TestesRegressaoPGB.Autenticacao.AutenticarNoPGBL02 threw exception:
System.AggregateException: One or more errors occurred. (The requested operation requires elevation.) ---> System.ComponentModel.Win32Exception: The requested operation requires elevation.
TestCleanup method TestesRegressaoPGB.Autenticacao.Cleanup threw exception. System.NullReferenceException: System.NullReferenceException: Object reference not set to an instance of an object..
How do I run all commands while elevated?
In the Azure DevOps, If you want to access local file in the azure devops pipeline via self-hosted agent, It accesses the file via service account instead of Personal account.
Workaround
We could open check the file permission and configure the service account permission. service account format User/Administrator/Administrators({Agent.ComputerName}\User/Administrator/Administrators)
Also, we could change the agent service account to your owner account.
Steps: Open service on the agent machine and search the agent service account, check the pic below, just change the account name and password to yours, then It will use this account to perform the operation.
I just added permissions on each and every folder the pipeline agent needed to open. As I said to Vito, the agent was not running using a service account.
I am just new to Azure Cloud and Devops, so forgive me if I may forget some critical info here.
So during creation of tasks for the release and selecting subscriptions, I get an error when trying to authorize the subscription (which I suspect is because of insufficient permissions associated to my account), so I go to advanced options to select the managed identity authentication.
After which no error shows now. So I set all remaining items and assign Deploy Azure App Service task. However during the running of the agent I get an error during Deploy Azure App Service step.
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'sample-vue'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
I have already set my azure app service to have a system assigned managed identity, but still this error occurs. I can't find any answer, online, with regards to the error above so hoping that someone could help explain to me the problem and how to possibly fix it. My hunch now is that I may have some insufficient permissions, but I don't know what it may be.
Please try the following items:
Remove and re-add the service connection in DevOps.
Check the rights of the account on Azure subscription. Please verify if the account has at least contributor access on Azure subscriptions. Check https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator