Multiple Azure AADs cause incorrect token to be chosen for authorization
Closed this issue · 4 comments
Azure accounts can have more than one AAD associated with with them. The "azure login" command adds tokens from each AAD into the Windows Credential store. This can cause problems when trying to run knife-azure commands if the wrong token is chosen from the token store to use for authorization. There doesn't seem to be any logic when the cmdkey.exe command is run to choose between the tokens (besides the last login time which isn't correct in this case). The result is the token is for the wrong tenant is chosen and you get the following error:
ERROR: The access token is from the wrong issuer 'https://sts.windows.net/{BAD-GUID}/'. It must match the tenant 'https://sts.windows.net/{GOOD-GUID}/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/{GOOD-GUID}' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
Also, if anyone else runs into this as a work around you can go into the Windows Credential Management GUI and manually remove the entries for the BAD-GUID. Once that is done you can use the knife-azure commands and the correct token will be chosen.
@hubertjfarnsworth , in case of multiple AADs, we are picking up the latest credential from Windows Credential Store.
For fixing the above error, please make sure that you update the azure_publish_settings_file or azure_subscription_id for the required AAD account in knife.rb file.
@hubertjfarnsworth any updates here?
@hubertjfarnsworth, can you please share the steps to reproduce this issue? I can see only one scenario where the error that you encountered can occur:
1. Run `azure login` for <Azure Account 1>.
2. Update the `azure_publish_settings_file` or `azure_subscription_id` `knife.rb file for <Azure Account 1>
3. Run `azure login` for <Azure Account 2>, but don't update the the `azure_publish_settings_file` or `azure_subscription_id` `knife.rb file.
So updating the subscription in knife.rb should fix this.
cmdkey.exe is run to fetch the list of credentials. We filter out the credentials belonging to AzureXplatCli from them. If case of multiple azure logins, there will be multiple tokens, but we pick the latest one based on the expiry time: https://github.com/chef/knife-azure/blob/master/lib/azure/resource_management/windows_credentials.rb#L144. expiry time is hard to coincide.
Please explain in which case you found that this didn't pick up the token for the last azure login done.
Closing this issue as we aren't able to reproduce it. @hubertjfarnsworth , please re-open if you are still facing it.