Self Hosted Azure DevOps Pipeline Agent fails with error Token Audience is not valid

Question

I have created a new token with Agent Pool read and manage permissions. I have created a new agent pool lnx_agent wherein I have administrator role to manage it. When I download tar file of agent linux x64 from this link https://vstsagentpackage-azureedge-net.o365.example-domain.defendernet.com/agent/2.171.1/vsts-agent-linux-x64-2.171.1.tar.gz , copy it to bastion host, unpack it and execute ./config.sh with URL, PAT token, agent pool as lnx_agent and default agent name as bastion_agent ; I have below error message.

[2020-06-28 20:24:35Z ERR  VisualStudioServices] POST request to https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token failed. HTTP Status: BadRequest, AFD Ref: Ref A: C7A934103EDF47B2B3E6F148516B35B5 Ref B: DB3EDGE1015 Ref C: 2020-06-28T20:24:35Z
[2020-06-28 20:24:35Z INFO VisualStudioServices] AAD Correlation ID for this token request: Unknown
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z ERR  Agent] Microsoft.VisualStudio.Services.OAuth.VssOAuthTokenRequestException: The token audience is not valid https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token. Comparing to https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token; https://app-vssps-visualstudio-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token.

Example-Client is my project and example-domain is my company name. What does this mean AAD Correlation ID for this token request: Unknown ?

Since my AKS cluster is private, all three options to connect to it from Azure release pipeline like kubeconfig, service account and subscription fail. So, if I could configure self hosted agent in bastion host whose virtual network is peered with virtual network of private AKS cluster then I can successfully automate CD pipeline by running agent in this bastion host.

 az devops login --organization https://dev-azure-com.o365.example-domain.defendernet.com/Example-Client
Token:
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.

Answer 1

Firstly, please make sure you can access the Azure DevOps organization ( https://dev.azure.com/{organization} ) from the bastion host. Otherwise we cannot connect to the Azure DevOps services.

Secondly, please check if you are running a firewall or a proxy on the bastion host. If you're running an agent in a secure network behind a firewall, make sure the agent can initiate communication with the URLs and IP addresses mentioned in below documents.

• What URLs does the agent need to communicate with?

• How do I configure the agent to bypass a web proxy and connect to Azure Pipelines?

Answer 2

URL update from https://dev-azure-com.o365.example-domain.defendernet.com/Example-Client to https://dev.azure.com/Example-Client resolves this issue