serverless-azure-functions icon indicating copy to clipboard operation
serverless-azure-functions copied to clipboard

Published 20 hours ago verified publisher icon serverless

"The access token is from the wrong issuer" error

Open medikoo opened this issue 5 years ago • 10 comments

I was trying to deploy service, I was successfully deploying a week ago, but now after re-login to Azure (and applying workaround for #250) it crashes for me with:

Error --------------------------------------------------
 
  Error: The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/'. It must match the tenant 'https://sts.windows.net/300fcec5-c972-4d1d-ba67-72e81a4ff23e/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/300fcec5-c972-4d1d-ba67-72e81a4ff23e' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
      at new RestError (/Users/medikoo/npm-packages/serverless-azure-functions/node_modules/@azure/ms-rest-js/lib/restError.ts:18:5)
      at /Users/medikoo/npm-packages/serverless-azure-functions/node_modules/@azure/ms-rest-js/lib/policies/deserializationPolicy.ts:117:27
      at processTicksAndRejections (internal/process/task_queues.js:85:5)
      at ResourceService.deployResourceGroup (/Users/medikoo/npm-packages/serverless-azure-functions/lib/services/resourceService.js:111:12)
      at AzureDeployPlugin.deploy (/Users/medikoo/npm-packages/serverless-azure-functions/lib/plugins/deploy/azureDeployPlugin.js:102:5)

medikoo avatar Aug 29 '19 08:08 medikoo

This seams like an azure issue... Did your subscription change somehow? Maybe flipped from Free Trial to Pay-as-you-go?

tbarlow12 avatar Aug 29 '19 14:08 tbarlow12

Did your subscription change somehow? Maybe flipped from Free Trial to Pay-as-you-go?

It's Pay-as-you-go, same as it was when it worked for me.

I've also run az login and az ad sp create-for-rbac --name medikoo to refresh things (and updated env var with new password), but it didn't help

medikoo avatar Aug 29 '19 14:08 medikoo

I experienced similar (first time trying serverless framework with my azure subscription). Note: I have an active PAYG subscription (previously I had a Free subscription that expired). If I have no subscriptionId in my serverless.yml then "sls deploy" seems to pick up the Free subscrtiption: Error: Authentication returned an empty list of subscriptions

If I explicitly set the subscriptionId (to the active PAYG sub) I get the error posted by @medikoo above.

Note: the service principal approach setting environment variables as described under 'Advanced Authentication' in the readme works.

nkelly75 avatar Nov 21 '19 12:11 nkelly75

Any solution for this?

amit12cool avatar Nov 03 '21 14:11 amit12cool

Hey I know this is an old issue but I'm stuck on it as well. How can I get serverless to reset the Azure credentials? It doesn't appear to be using my credentials that I set via az login. Also how can I force SLS to use the --tenantId=<id> flag when logging in?

LukePammant avatar Feb 02 '22 06:02 LukePammant

I'll answer my own question above after I did some digging:

The problem:

When you first run sls deploy it will perform an interactive authentication against Azure even if you have already performed a az login. The problem is that you cannot select the tenant that you want to issue an access token for. serverless will then cache your Azure credentials in the ~/.azure/slsTokenCache.json and not ask you to log in again.

The quick (hacky) fix:

If you are able to successfully login via az login you can copy your correct access token from the file ~/.azure/accessTokens.json and overwrite the entry in the ~/.azure/slsTokenCache.json.

You can verify that you have the correct access token for the tenant in one of two ways:

  1. The tenantId will be at the end of the _authority property in the accessTokens.json file.
    • i.e. "_authority": "https://login.microsoftonline.com/b0142f8e-51df-4058-9d63-4919e1b1d46d"
  2. If the tenantId isn't in the _authority you can copy the accessToken property into a JWT parser like https://jwt.io and see the "tid" value of the access token. This is the tenantId.

Once I overwrote the entry in the slsTokenCache.json with the one from the accessTokens.json I was able to deploy successfully.

LukePammant avatar Feb 02 '22 19:02 LukePammant

I have the same issue and unable to fix it. I am able to login with az login but unable to see the an file like ~/.azure/accessTokens.json. I do have ~/.azure/msal_token_cache.json. any other hacks?

jinman avatar Feb 05 '22 08:02 jinman

I also didnt have ~/.azure/accessTokens.json but had ~/.azure/msal_token_cache.json. replacing entry in the slsTokenCache.json with the token from msal_token_cache.json worked for me.

2usatish avatar Mar 30 '22 04:03 2usatish