azure-devops-cli-extension
azure-devops-cli-extension copied to clipboard
Azure
Logging in to the Azure CLI does not provide access to `az devops` commands as expected
Logging in to the Azure CLI does not provide access to az devops commands as expected
Command Name
az devops project list
(Extension Name: azure-devops. Version: 0.23.0.)
Errors:
Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials. Please see https://aka.ms/azure-devops-cli-auth for more information.
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Log into the Azure cli using
az login az devops project list
Expected Behavior
A list of projects in my devops organizations should be presented.
Environment Summary
Windows-10-10.0.22000-SP0
Python 3.8.9
Installer: MSI
azure-cli 2.34.1
Extensions:
azure-devops 0.23.0
Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0
Additional Context
The link in the error message does not provide further information on using az login for using AAD/MSA identity.
I've had similar issues.
One cause for this is https://github.com/Azure/azure-devops-cli-extension/blob/master/azure-devops/azext_devops/dev/common/services.py#L165 hiding issues with token fetch. Exceptions are logged only with debug level.
Other minor issue with the selection of default subscription. The code does not work ATM at all. PR coming soon.
If i remember correctly using az login --tenant <guid> should fix most of the issues:
- makes sure you are have tokens for tenant you want to use
- goes through MFA if needed
Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.
other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300
Alternative tools:
- https://github.com/MethodsAndPractices/vsteam
- https://github.com/igoravl/TfsCmdlets
Hi @mdekrey, Please find the below analysis for az login and az devops project list
- az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
- az devops project list : Please provide PAT token then you can see the project list.
If i remember correctly using
az login --tenant <guid>should fix most of the issues:
- makes sure you are have tokens for tenant you want to use
- goes through MFA if needed
Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.
other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300
Alternative tools:
- https://github.com/MethodsAndPractices/vsteam
- https://github.com/igoravl/TfsCmdlets
does not work for me
Hi @mdekrey, Please find the below analysis for az login and az devops project list
- az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
- az devops project list : Please provide PAT token then you can see the project list.
Not really true
- AZ CLI does not use Azure portal
- AZ ADO extension (does/)should not use subscription information by default a. Subscription information is only used if e.g. adding service connection to subscription
- Azure Devops can be used without subscriptions
a. That kind of limitation would not make any sense. It would block all workload that are not specific for Azure workloads
b.
az login --allow-no-subscriptions- this will create dummy subscription on AZ CLI internal data structures
Current AAD token authentication in this extension is really buggy by hiding information and error from user and should be rewritten. (Issue describing the problems coming soon)
@mdekrey, we recently started working on the CLI service and we have checked the code if you have Azure active Directory/Microsoft account (AAD/MSA) you can see the "az devops project list" output by using "az login" otherwise you need to use "az devops login" (provide PAT) to see the "az devops project list".
Updating Azure CLI fixes the problem. Run: "az upgrade"
Which version you updated from?
0.22.0 has some fixes but it was released over years ago.
Extension authentication is buggy(1)(2) and badly documented:
- does not mention you need to use
az login --tenant <guid>with B2B guest accounts - does not mention that running
az account set -n <subscription>would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392d597a2
(1) https://github.com/Azure/azure-devops-cli-extension/commit/b3d0392d597a2eae5229e96059359d00fbb2e222 no new release after the commit (2) https://github.com/Azure/azure-devops-cli-extension/issues/1298
Updating Azure CLI fixes the problem. Run: "az upgrade"
Which version you updated from?
0.22.0 has some fixes but it was released over years ago.
Extension authentication is buggy(1)(2) and badly documented:
- does not mention you need to use
az login --tenant <guid>with B2B guest accounts- does not mention that running
az account set -n <subscription>would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392(1) b3d0392 no new release after the commit (2) #1298
I'm sorry but that information is gone... But I'm guessing that I have been running on the same version for some years now. But did now setup the option of auto-upgrade that the upgrade hinted about so now I will stay up-to-date :-)