Az Powershell Connect-AzAccount fails in docker container, but works on host
Question
Problem
I have a Windows 10 machine with Powershell 7. I wrote the following logic to sign into azure using a service principle:
$Secure2 = ConvertTo-SecureString -String $AZ_DEPLOYMENT_CLIENT_ENCRYPTED_SECRET
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZ_DEPLOYMENT_CLIENT_ID, $Secure2
#Connect
Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $AZ_TENANT_ID
It works fine on the host machine. However, when I try to run the same logic inside a docker image (do.net sdk 6.0), the command fails with the error:
PS /builds> Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{guid}'.
Trace ID: asdfasdf
Correlation ID: asdfasdf
Timestamp: 2022-04-19 15:07:22Z
Az Powershell Versions
On the host, I'm running:
PS C:\Users\me> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.1.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Window…
Inside the container:
PS /builds> Get-InstalledModule -Name Az
Version Name Repository Description
------- ---- ---------- -----------
7.4.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Windows PowerShell.…
Dockerfile
FROM mcr.microsoft.com/dotnet/sdk:6.0
RUN apt update
RUN apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
Then I manually ran this command to install the az module:
pwsh -c "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force"
pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease PSGallery -Force"
EDIT 1
In my Dockerfile, now I'm using multiple stages now so I don't have to install the Azure Powershell toolset inside the do.net SDK image. Now my dockerfile looks like this:
FROM --platform=amd64 mcr.microsoft.com/dotnet/sdk:6.0.202-bullseye-slim-amd64 AS deployFunctionApp
RUN apt update && apt-get install vim -y
COPY . /builds
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
RUN apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN apt-get install nodejs
RUN npm install -g azure-functions-core-tools@4 --unsafe-perm true
WORKDIR ./builds/tests
RUN dotnet test --test-adapter-path:. --logger:"junit;LogFilePath=..\TestResults\test-results.xml;MethodFormat=Class;FailureBodyFormat=Verbose"
WORKDIR ../
RUN cat ./externalVariables.json
RUN pwsh -c "./deploy-function-app.ps1"
FROM --platform=amd64 mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 AS deployAppRegistration
COPY . /builds
WORKDIR ./builds
RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
RUN pwsh -c "./ad-app-reg.ps1"
So now I can build in stages like this:
PS /Users/me> docker build --target deployAppRegistration -t mytest .
[+] Building 17.5s (7/9)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.35kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04 0.2s
=> [internal] load build context 0.0s
=> => transferring context: 23.03kB 0.0s
=> CACHED [deployappregistration 1/5] FROM mcr.microsoft.com/azure-powershell:7.4.0-ubuntu-18.04@sha256:4d2a4c73e91c27be3ac3de40a1dd8cf36dde17d43da8837a1967fab6ac376950 0.0s
=> [deployappregistration 2/5] COPY . /builds 0.2s
=> [deployappregistration 3/5] WORKDIR ./builds 0.0s
=> [deployappregistration 4/5] RUN pwsh -c "Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease -Repository PSGallery -Force"
=> [deployappregistration 5/5] RUN pwsh -c "./ad-app-reg.ps1" 16.1s
But it fails to connect to azure still. I start a fresh container based on this image, and can recreate the error i see in the docker build command:
root@7a0f9c69306d:/builds# ls
arm_templates deploy-function-app.ps1 externalVariables.json src
Dockerfile postman_tests tests
ad-app-reg.ps1 docs README.md
root@7a0f9c69306d:/builds# pwsh
PowerShell 7.2.2
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS /builds> ./ad-app-reg.ps1
WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections.
Connect-AzAccount: /builds/ad-app-reg.ps1:30
Line |
30 | Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_I …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application
| registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret
| value, not the client secret ID, for a secret added to app '[ad app reg guid]'. Trace ID: asdfasdf Correlation ID: asdf Timestamp:
| 2022-04-25 12:42:08Z
Set-AzContext: /builds/ad-app-reg.ps1:32
Line |
32 | Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $c …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Run Connect-AzAccount to login.
1 answers
solution1
0 2022-04-25 18:55:09
I had to recreate the encrypted secret in the container and then it started to work. It's still not clear why it didn't like the encrypted secret that I created on the host and saved to a file. It was created using the same secret and security principle. But I guess the error message was legit - it really didn't like the credential!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Connect-AzAccount Powershell on-prem
Connect-AzAccount error when running Azure Functions coded in PowerShell
How to Connect-AzAccount in Powershell Core (without prompt)?
Connect-AzAccount prompt issue
Connect-AzAccount change browser
Connect-AzAccount in C#
Connect-AzAccount without prompt
Connect-AzAccount with Azure Devops Pipeline?
Azure Runbook Failure with Connect-AzAccount -Identity
Terraform local-exec Powershell in Azure DevOps error: Run Connect-AzAccount to login
Related Tags