The access token is from the wrong issuer
re4s0n4 opened this issue · 4 comments
I encounter an issue while using Powershell 5.1 and 7.2 authenticated using my Subscription administrator account (Connect-AzAccount -UseDeviceAuthentication):
Get-AzResource : The access token is from the wrong issuer
'https://sts.windows.net/xxxxxxxx-xxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant
'https://sts.windows.net/xxxxxxxx-xxxxxx-xxxxxxx-xxxxxxx/' associated with this subscription. Please use the
authority (URL) 'https://login.windows.net/xxxxxxxx-xxxxxx-xxxxxxx-xxxxxxx' to get the token. Note, if the
subscription is transferred to another tenant there is no impact to the services, but information about new tenant
could take time to propagate (up to an hour). If you just transferred your subscription and see this error message,
please try back later.
At C:\Users\rfabiano_wa\AzViz\AzViz\src\private\ConvertFrom-Network.ps1:90 char:48
- ... toCateg = (Get-AzResource -ResourceId $to.ResourceId).Resour ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : CloseError: (:) [Get-AzResource], CloudException
- FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
I think this may be because I am a Subscription Administrator but not a tenant administrator.
@re4s0n4 yes, this piece of code basically looks for network associations and in this case it seems like a network components is associated with another network resource in a different subscription. If that is the case this is the ideal behavior if you don't have permissions on other subscription.
That being said, I'll try to add better error handling around it and meanwhile trying to replicate the issue at my end.
Thanks for creating an issue!
Same user has access to all associated resources. I'm guessing it may have to do with peering networks to a subscription for which I am also a full admin. Maybe some error handling would clarify which resource it's being blocked on and maybe make it not breaking error.
