azure-cli
azure-cli copied to clipboard
Azure
Az VM Run-Command Create run-as details do not work as expected
Related command az vm run-command create
Describe the bug This is a reopen of https://github.com/Azure/azure-cli/issues/21602 that didn't seem to get resolved. Copying in other people's feedback into this body, as it is the same as mine!
I'm seeing the exact same issue, and I've noted that it is reported for the Azure Powershell library as well (see bottom of linked comment): https://github.com/Azure/azure-powershell/issues/17534#issuecomment-1075509019
Executing the following simple test fails when providing a 'run-as' username and password:
az vm run-command create --name "myRunCommand" --vm-name "testvm" --resource-group "TestGroup" --script "Write-Host Hello World!" --run-as-password "" --run-as-user ""
The following is the result (truncated) after running az vm run-command show:
{ "executionMessage": "Script cannot be executed with specified runAsUser/runAsPassword parameters", "executionState": "Failed" }
To Reproduce As above. I have tried with AADDS domain user/pwd combo, as well as local username/pwd combo. Neither worked (both on Windows Server 2016 VM, both in local admin user group, with and without log on as batch job rights)
Expected behavior I would expect to provide run-as username/password and for the command to run OK, as long as those users have the appropriate access rights.
Environment summary
Windows 10 21H2 Invoked Az CLI through Powershell 7.2.5 Installed via choco Az version = { "azure-cli": "2.39.0", "azure-cli-core": "2.39.0", "azure-cli-telemetry": "1.0.6", "extensions": { "aks-preview": "0.5.87", "automation": "0.1.1", "azure-devops": "0.25.0", "connectedk8s": "1.2.9", "containerapp": "0.3.7", "resource-graph": "2.1.0" } }
Windows-10-10.0.19044-SP0
Python 3.10.5
Installer: MSI
azure-cli 2.39.0
Extensions:
aks-preview 0.5.87
automation 0.1.1
azure-devops 0.25.0
connectedk8s 1.2.9
containerapp 0.3.7
resource-graph 2.1.0
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
This is a reopen of https://github.com/Azure/azure-cli/issues/21602 that didn't seem to get resolved. Copying in other people's feedback into this body, as it is the same as mine!
I'm seeing the exact same issue, and I've noted that it is reported for the Azure Powershell library as well (see bottom of linked comment): https://github.com/Azure/azure-powershell/issues/17534#issuecomment-1075509019
As I mentioned earlier, this should be a service-related issue https://github.com/Azure/azure-cli/issues/21602#issuecomment-1067476038. Therefore, service team needs to help investigate it first
Thank you for your feedback. This has been routed to the support team for assistance.
@yonzhan @zhoxing-ms - Do we have any ETA from the service team as to when they may be able to assist with resolving this?
As I mentioned earlier, this should be a service-related issue https://github.com/Azure/azure-cli/issues/21602#issuecomment-1067476038. Therefore, service team needs to help investigate it first
@D1v38om83r Could you please help take a look at this issue?
I'd like to add that this is affecting the Bicep use of the runCommand template as well. I'd also like to point out that the error is in the Status folder ("C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.3\Status\runCommand-dev99-ras.0.status") ... not in the error blob as would be expected.
@zhoxing-ms @BCOps , Run As is not working as expected in Production (it is a bug) as of now for Managed Run Command (Preview). We have plans to fix it before we take Run Command to GA. Tentative ETA is 10/31.
@vivlingaiah - I see that this didn't get released in the 2.42.0 release on 1st November. Do you have an updated ETA/target release version for this fix to unblock the issue?
For me this is still not working, when providing a different --run-as-user with a --run-as-password the script doesn't get executed, no errors or anything. Please fix this!
Run As is not working as expected in Production (it is a bug) as of now for Managed Run Command (Preview). We have plans to fix it before we take Run Command to GA. Tentative ETA is 10/31.
@vivlingaiah Could you please help confirm the progress of resolving this service issue?
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @TravisCragg-MSFT, @nikhilpatel909, @sandeepraichura, @hilaryw29, @GabstaMSFT, @ramankumarlive, @ushnaarshadkhan.
Issue Details
Related command az vm run-command create
Describe the bug This is a reopen of https://github.com/Azure/azure-cli/issues/21602 that didn't seem to get resolved. Copying in other people's feedback into this body, as it is the same as mine!
I'm seeing the exact same issue, and I've noted that it is reported for the Azure Powershell library as well (see bottom of linked comment): https://github.com/Azure/azure-powershell/issues/17534#issuecomment-1075509019
Executing the following simple test fails when providing a 'run-as' username and password:
az vm run-command create --name "myRunCommand" --vm-name "testvm" --resource-group "TestGroup" --script "Write-Host Hello World!" --run-as-password "" --run-as-user ""
The following is the result (truncated) after running az vm run-command show:
{ "executionMessage": "Script cannot be executed with specified runAsUser/runAsPassword parameters", "executionState": "Failed" }
To Reproduce As above. I have tried with AADDS domain user/pwd combo, as well as local username/pwd combo. Neither worked (both on Windows Server 2016 VM, both in local admin user group, with and without log on as batch job rights)
Expected behavior I would expect to provide run-as username/password and for the command to run OK, as long as those users have the appropriate access rights.
Environment summary
Windows 10 21H2 Invoked Az CLI through Powershell 7.2.5 Installed via choco Az version = { "azure-cli": "2.39.0", "azure-cli-core": "2.39.0", "azure-cli-telemetry": "1.0.6", "extensions": { "aks-preview": "0.5.87", "automation": "0.1.1", "azure-devops": "0.25.0", "connectedk8s": "1.2.9", "containerapp": "0.3.7", "resource-graph": "2.1.0" } }
Windows-10-10.0.19044-SP0
Python 3.10.5
Installer: MSI
azure-cli 2.39.0
Extensions:
aks-preview 0.5.87
automation 0.1.1
azure-devops 0.25.0
connectedk8s 1.2.9
containerapp 0.3.7
resource-graph 2.1.0
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
| Author: | BCOps |
|---|---|
| Assignees: | zhoxing-ms |
| Labels: |
|
| Milestone: | Backlog |
Hi, the message "Script cannot be executed with specified runAsUser/runAsPassword parameters" is thrown when runas user name and run as password is not valid to kick off the process to run the script using powershell.exe. Does the user have access to run powershell.exe or any other executables involved and resources accessed ?
catch (System.ComponentModel.Win32Exception) { // These exception happens when user/password for process startup is not valid handlerStatus.RunCommandInstanceView.executionMessage = "Script cannot be executed with specified runAsUser/runAsPassword parameters"; exitCode = Constants.ExitCode_BadConfig; }
The below is minimum requirement for Run As: For RunAs to work properly, contact admin of VM and make sure user is added on the VM, user has access to resources accessed by the Run Command (Directories, Files, Network etc.), and 'Secondary Logon' service is running on the VM. Refer: https://aka.ms/RunCommandManagedWindows"
Also note, currently Output from Run As execution is not available yet for Windows machines. It should be fixed by end of June as part of new release.
Please refer below incident Incident 405371961 : Set-AzVMRunCommand with RunAsUser and RunAsPassword is not working (specific case)
Does your script have attributes at the top like [CmdletBinding()], validation and Mandatory attributes ? They seem to cause issues while using Run As. Could you simplify the script like below example and give it a try ?
param( [string] $p1
[string] $p2 )
Write-Host $p1 Write-Host $p2
@vivlingaiah how we are supposed to view this incident when it's a Microsoft internal link?
Hi @wi5nia, You don't need to open the incident. The other part of the response still holds good.
Does your script have attributes at the top like [CmdletBinding()], validation and Mandatory attributes ? They seem to cause issues while using Run As. Could you simplify the script like below example and give it a try ?
param( [string] $p1
[string] $p2 )
Write-Host $p1 Write-Host $p2
@wi5nia please confirm, its working for you so we can close the issue
