Azure
Could not retrieve acr build's upload URL
I got an error when I run draft up with ACR builder. Console logs are like following.
$ az login
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code {xxxxxxx} to authenticate.
[
{
"cloudName": "AzureCloud",
"id": "2fbbc791-6b0d-4d1a-aabf-{aaaaaaaaaaaa}",
"isDefault": false,
"name": "\u7121\u6599\u8a66\u7528\u7248",
"state": "Enabled",
"tenantId": "2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}",
"user": {
"name": "[email protected]",
"type": "user"
}
},
{
"cloudName": "AzureCloud",
"id": "e000d296-c414-4552-a6b1-{bbbbbbbbbbbb}",
"isDefault": true,
"name": "Microsoft Azure Sponsorship",
"state": "Enabled",
"tenantId": "2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}",
"user": {
"name": "[email protected]",
"type": "user"
}
}
]
$ draft up
Draft Up Started: 'neutrino': 01CKCWE0RXXYQVS0GF4DSWK4FR
neutrino: Building Docker Image: FAIL ❌ (1.0003s)
Inspect the logs with `draft logs 01CKCWE0RXXYQVS0GF4DSWK4FR`
$ draft logs 01CKCWE0RXXYQVS0GF4DSWK4FR
2018/07/27 03:27:38 error while building: Could not retrieve acr build's upload URL: containerregistry.RegistriesClient#GetBuildSourceUploadURL: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationTokenTenant" Message="The access token is from the wrong issuer 'https://sts.windows.net/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}/'. It must match the tenant 'https://sts.windows.net/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you justtransferred your subscription and see this error message, please try back later."
$ jq '.[] | { "_authority": ._authority }' < /tmp/accessTokens.json
{
"_authority": "https://login.microsoftonline.com/common"
}
{
"_authority": "https://login.microsoftonline.com/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}"
}
{
"_authority": "https://login.microsoftonline.com/2c606659-30f9-4cb1-aa65-{xxxxxxxxxxxx}"
}
It seems Draft picks up wrong authority.
It works well after deleting the object that have "https://login.microsoftonline.com/ac86c139-a432-4110-9521-{yyyyyyyyyyyy}" as _authority.
My account shares my company's subscription. I suspect it is a one of the reason causing this issue.
Just for reference, which account is considered the "default" when running az account list -o table? Using the Azure SDK for Go we are trying to pull the default subscription from the account, but if we're pulling the wrong account info then we should take a closer look.
The result of az account list -o table is.
A few accounts are skipped as they don't have 'Enabled' state. Use '--all' to display them.
Name CloudName SubscriptionId State IsDefault
--------------------------- ----------- ------------------------------------ ------- -----------
Microsoft Azure Sponsorship AzureCloud e000d296-c414-4552-a6b1-{bbbbbbbbbbbb} Enabled True
Tips: Run echo '[' $(az account get-access-token) ']' > /tmp/accessTokens.json after running az login.
Only one access token is overridden and I can run draft up without editing accessTokens.json file.