Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request #11749

Open
Kalyan-Alamuru opened this issue Jan 2, 2020 · 25 comments
Assignees
Labels
Cloud Shell common issue customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad Service Attention This issue is responsible by Azure service team.
Milestone

Comments

@Kalyan-Alamuru
Copy link

I'm getting following when I'm running following command :

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
--name http://tf-sp-$UNIQUE_ID
--role Contributor
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID"
--query password
--output tsv)

Please note that I've stored ARM Subscription ID successfully and ran above command as part of creating Service Principal.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az ad sp create-for-rbac

Errors:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 608, in execute
    raise ex
cli/core/commands/__init__.py, ln 666, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
...
python3.6/site-packages/msrestazure/azure_active_directory.py, ln 486, in get_msi_token
    result.raise_for_status()
python3.6/site-packages/requests/models.py, ln 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Put any pre-requisite steps here...
  • az ad sp create-for-rbac --name {} --role {} --scopes {} --query {} --output {}

Expected Behavior

Environment Summary

Linux-4.15.0-1064-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.78

Additional Context

@bim-msft
Copy link
Contributor

bim-msft commented Jan 3, 2020

@jiasli Please take a look.

@yonzhan yonzhan added this to the S165 milestone Jan 3, 2020
@jiasli
Copy link
Member

jiasli commented Jan 3, 2020

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

@Kalyan-Alamuru
Copy link
Author

I reran the module again and it worked fine, Only difference this time is I ran Terraform Destroy command to delete the plan and then ran az ad sp create command and it worked fine, It doesn't really explain what happened !!!

@jiasli
Copy link
Member

jiasli commented Jan 6, 2020

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

  1. Use Azure CLI on a local machine
  2. In Cloud Shell, run az login and retry the command

@jiasli jiasli closed this as completed Jan 6, 2020
@jiasli jiasli added the Service Attention This issue is responsible by Azure service team. label Apr 1, 2020
@jiasli jiasli reopened this Apr 1, 2020
@jiasli jiasli changed the title When Running ARM_CLIENT_SECRET command as part of Module Run Terraform by using remote state and principal Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request Apr 1, 2020
@hubert-associates
Copy link

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

This worked for me. Thanks.

@haitch
Copy link
Member

haitch commented Jun 17, 2021

@jiasli this is still happening and hurt AKS user experience, please prioritize and fix this issue.

@TannerSet
Copy link

I am seeing this issue using CentOS with AzureCLI installed. Is there any progress here? any direction I should be pointed

@jiasli
Copy link
Member

jiasli commented Aug 27, 2021

@TannerSet,

  1. Are you using an Azure VM?
  2. Which command resulted in the error?
  3. Could you share the full error message?

Please create a new issue for us to track.

@giggio
Copy link

giggio commented Dec 2, 2021

I'm also getting this error. For me, it was when I ran az storage blob generate-sas.
Running az login fixed it.
I'm on Windows Terminal connecting directly to the cloud shell.

@oguzhanf
Copy link

oguzhanf commented Dec 8, 2021

I get the same error using Windows 11 - Windows Terminal, click on the drop-down to get to an Azure Cli instance. Following the device login page I'm able to work other commands but not the below:

az ad user create --display-name "..." --password "..." --user-principal-name "..."

Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>

@sherdana
Copy link

sherdana commented Feb 7, 2022

Workaround doesn't work for me. Getting error while doing az login.
az login --debug
cli.knack.log: File logging enabled - writing logs to 'C:\Users\danasherman.azure\logs'.
cli.knack.cli: Command arguments: ['login', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x03D35148>, <function OutputProducer.on_global_arguments at 0x03FD0FA0>, <function CLIQuery.on_global_arguments at 0x03FF8B68>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.007 2 9
cli.azure.cli.core: Total (1) 0.007 2 9
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 9 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x042898E0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\danasherman.azure\commands\2022-02-07.06-24-26.login.35532.log'.
az_command_data_logger: command args: login --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x042F0340>, <function register_global_query_examples_argument..register_query_examples at 0x04352610>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x04352658>, <function register_cache_arguments..add_cache_arguments at 0x043526E8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x03FE1028>, <function CLIQuery.handle_query_parameter at 0x03FF8BB0>, <function register_global_query_examples_argument..handle_example_parameter at 0x04352580>, <function register_ids_argument..parse_ids_arguments at 0x043526A0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\danasherman\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.identity: _load_msal_http_cache: C:\Users\danasherman.azure\msal_http_cache.bin
cli.azure.cli.core.auth.identity: __load_msal_http_cache: C:\Users\danasherman.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
cli.azure.cli.core.auth.identity: The default web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
msal.telemetry: Generate or reuse correlation_id: ecaf258a-fa40-4b39-92f9-c1a035e39be6
msal.oauth2cli.oauth2: Using http://localhost:59989 as redirect_uri
msal.oauth2cli.authcode: Abort by visit http://localhost:59989?error=abort
msal.oauth2cli.authcode: Open a browser on this device to visit: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A59989&scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2F.default+offline_access+openid+profile&state=ipZGCVcmOjlvUzaL&code_challenge=KOEVToIH4MLf--YNJ4FMkWnn6pb8egGD1-Ceih3Ml9g&code_challenge_method=S256&nonce=0216694b50dfea1e46503f9febe19ad57c89d4b97c9dd066b37abfb853358a0b&client_info=1&prompt=select_account
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
ç¥tDo© !h2cli.authcode: "▬♥☺☻☺☺ü♥♥´↕"ô
Îe'
5¼►YwM↨!v A¶ÎãZîá¥õ×Ù* Y| ::‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶êê
localhost↨ÿ☺☺" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
ýwÛÿ↑vð♠· ð÷ËQvÁl71SPDàù∟)ÿVjµLXî↕ýXp zz‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶jj
localhost↨ÿ☺☺" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥îß↑ìøůº♣3ëRS!Â¥ç×Ͻü{☺Ã♣ÄD© »↕3¢ë→£Ùò)°RÐ!»1▲ü↔à
7
ð¶P*i5 JJ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ÊÊ
localhost↨ÿ☺☺" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥úÍJ#ÙU→Ëh
6oU£~A93á¬
.·ô¢«k ¤Ï«Í↓ÌðÓ_kê::
localhost↨ÿ☺☺" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥Å°B>►:<§×ÞCå0Øz0¸R£AË¥át0©Ì ­­B|øhÿòlb§H*íb Õµ¦G 6>ñH jj‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶jj localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('ÊÊ\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x01\x93') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥òôUÀg#ÎM ▬6à7Âi;gÐàüî+▼w¡ Ä@Úc↕W3Eæ® ¯£♥eâªØA ÊÊ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶" 400 - msal.oauth2cli.authcode: code 400, message Bady(v 2½´\:ËÏ¥b↕y♥ïÕÔ¹▬êêlhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') mslocalhost↨ÿ☺☺" 400 -e: "▬♥☺☻☺☺ü♥♥Ý^;)ÿuÕl♣)
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.o↓d&x¯SU↔ÊjS»ù☺%²ÇHj"▬♥☺☻☺☺õYQTE jj‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶zz
~»localhost↨ÿ☺☺" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥ÝãvjP§±afsldI­&E»♠Ù§"µb→Ë)u% ªÉ].↑Ô♦ãL¶²ö"☻↑ÒÌRü¯(
D ªª‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ºº
localhost↨ÿ☺☺" 400 -
msal.oauth2cli.▼Ey↕1EÒ♠;**ode 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
▬6localhost↨ÿ☺☺" 400 -e: "▬♥☺☻☺☺ü♥♥Å$CÌ♥æ0õ
msal.oauth2cli.authcode: code 400, message Bad request syntax ('\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03Qé\x0f^')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥Qé^" 400 -
msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00')
msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥¶0Ú8ú☺õñ-ÓÁúifùsÂÁ¼À:∟îã»,ªXYß[Tº»:¹ ZZ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ÚÚ
localhost↨ÿ☺☺" 400 -

@jiasli
Copy link
Member

jiasli commented Feb 8, 2022

@sherdana, your message is corrupted. Also, you are not on Cloud Shell, but Windows machine. Please create a new issue with detailed information and error message.

@sabbour
Copy link

sabbour commented Oct 14, 2022

Running az login isn't an acceptable workaround. MSI login allows for elevated commands like "az ad app" which will be blocked otherwise.

malscent added a commit to malscent/marketplace that referenced this issue Oct 25, 2022
Per Azure/azure-cli#11749 it appears this is a known
issue and the only workaround is to attempt to login again.
@xfz11
Copy link
Member

xfz11 commented Mar 17, 2023

This issue doesn't happen on Cloud Shell created by Azure Portal, but still exists on Cloud shell created by Doc site. Is there anyone can connect Cloud Shell team to investigate the issue?

@luiznazari
Copy link

A similar error is occurring in the Microsoft Training lab Exercise - Configure a system-assigned managed identity for an Azure VM, first command.
image

@CornerstoneII
Copy link

CornerstoneII commented Jan 3, 2024

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

  1. Use Azure CLI on a local machine
  2. In Cloud Shell, run az login and retry the command

This workaround for cloud shell no longer works!!!
The only alternative would be from your local machine

Invokingaz ad app permission grant --id 54e27600-df4f-4e97-96b1-6aab7c1e0189 --api 00000003-0000-0000-c000-000000000000is needed to make the change effective Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

@MantisTree
Copy link

MantisTree commented Aug 29, 2024

This is still an issue that crashed my deployment. running the following command without az login:

az aks create --resource-group ClusterRG01 --name AKSCluster02 --node-count 2 --enable-addons monitoring --generate-ssh-keys

resulted in error:

Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

but after running az login in cloud shell and retrying the same command (with cluster number increment) succeeded without any error

EDIT: copy/pasted complete literal error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Cloud Shell common issue customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad Service Attention This issue is responsible by Azure service team.
Projects
None yet
Development

No branches or pull requests