OidcClient.getCall failing in self-hosted Runners.
Powertrain opened this issue · 7 comments
Environments
- GHES 3.11.5 in an Azure VM along with,
- a self-hosted runner in an Azure VM with the software provided by the GHES instance.
Issue:
- when used on a self-hosted runner, the job is unable to access the id-token variable's permissions. id-token has been set to both Write and Write-All in many iterations of the job to no success.
Please make sure to give write permissions to id-token in the workflow. - the azure/login v2.1.1 action fails at line 570, the try-catch sends back
Login failed with Error: Error message: Cannot read properties of undefined (reading 'message'). Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information. - the OIDC token URL appears to be generated , but
- it fails at line 565:
const id_token = yield OidcClient.getCall(id_token_url);
Is this a failure on the runner side, or a federated credential issue on the other end?
Thanks for any assistance.
Hi @Powertrain , please try the steps in #283 (comment).
@YanaXu Thanks for the response!
Following the advice from #283
- Both endpoints are available from the internet.
- They are available when using a
curl - vcommand from the runner machine.
However this still results in a failed run with the following information:
- The
id_token_url(Line 559) variable , when visited via a browser from my machine, orcurl -vfrom the gitRunner machine is always the same response:The user 'System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.
Hi @Powertrain, could you raise your question to this repo: https://github.com/actions/toolkit ?
This is the GitHub Action toolkit repo which Azure Login Action depends on.
https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js
Line: 545-546
Both ${error.statusCode} & ${error.result.message} are null. This causes the action to give a result of Error message: Cannot read properties of undefined (reading 'message')..
After branching my own version and changing the the output to Error Code : ${error} gives me an output:
Error: unable to verify the first certificate
Thanks for any assistance going forward.
https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js
I am running into further issues with v2.1.1
Line: 4004 yield this.executeAzCliCommand(["--version"], true, execOptions); fails over and over again, The process '/usr/local/bin/az' failed with exit code 1.
When the line is commented out, the subsequent executeAzCliCommand commands will Successfully set the Azure environment.
Would you recommend swapping the version of Azure/Login I am using?
https://github.com/Azure/login/blob/v2.1.1/lib/main/index.js
I am running into further issues with v2.1.1
Line: 4004
yield this.executeAzCliCommand(["--version"], true, execOptions);fails over and over again,The process '/usr/local/bin/az' failed with exit code 1.When the line is commented out, the subsequent
executeAzCliCommandcommands will Successfully set the Azure environment.Would you recommend swapping the version of Azure/Login I am using?
@Powertrain could you run az --version --debug directly on your VM and send us the result?
Thanks for the response!
Upgrading from azure-cli2.39 to azure-cli2.63 will run action/login@v2.1.1 again once complete.