After a recent password change, I've been unable to perform "terraform plan" operations (or anything else that requires authentication to our Azure subscriptions. I actually suspect that this is more-properly an Azure AD issue, but decided to ask in the Terraform area first on the off chance someone else has encountered this (Googled multiple variations, but nothing definitive for the Powershell case)
The error message is:
│ Error: building account: getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-09-20T19:11:35.3441875Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-10-11T21:32:17.0000000Z'.
│ Trace ID: <GUID>
│ Correlation ID: <GUID>
│ Timestamp: 2021-10-11 23:41:09Z
│ To re-authenticate, please run:
│ az login --scope https://graph.windows.net//.default
│
│ with module.policyset_definitions.provider["registry.terraform.io/hashicorp/azurerm"],
│ on modules\policyset-definitions\main.tf line 1, in provider "azurerm":
│ 1: provider "azurerm" {
The Trace, Correlation, and Timestamps vary, of course, by attempt.
I've attempted:
Clear-AzContext
Clear-AzDefault
exit Powershell
(even rebooted, since this has occurred over several days now and I shut down after work) then log in again.
I've also tried:
$c = Get-AzContext
Remove-AzContext -InputObject $c
The closest Powershell equivalent to Azure Shell "az login --scope https://graph.windows.net//.default" appears to be:
Connect-AzAccount -AuthScope https://management.azure.com/
That didn't change anything about the error- still occurs, still reports same time that the token was last issued.
Since the problem appears to be with my token and the grants associated with it, I decided to attempt to force a refresh of the grants by doing:
Connect-AzureAD
Get-AzureADUser -SearchString "<AzureADEmailAccount>"
Revoke-AzureADUserAllRefreshToken -ObjectId <GUID>
The results are one of the reasons I suspect this is an AAD problem, not Terraform; the error message didn't change, but the time reported in "grant was issued on" changed from the time I changed my password to the time I ran Revoke-AzureADUserAllRefreshToken.
Any suggestions? I'm also going to try to reach out to Microsoft, but wanted to start here for a publicly-available answer.
I was never able to get the Token refreshed from Powershell.
At the suggestion of MS Support, I installed the Azure CLI (had to beg hard to get the admin permissions to do so, that's the reason I hadn't tried that previously) so I could do the following:
az login --use-device-code
That resolved the issue.
Related
I am trying to create an aks cluster with Terraform. Here are the config files for the same. Validation went well. But plan gives the following error.
Got some experience with Terraform as well as azure and aks, but not with Azure Ad. So enlighten whats going wrong.
Looked into this so question and this one as well, but no clue.
Error: building account: getting authenticated object ID: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: AADSTS50076: Due to
a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
│ Trace ID: 3391ac9b-4e8d-43a3-88f5-0cb1093a2d00
│ Correlation ID: fe984fa6-71ff-42d6-b487-7b988a7e1dd6
│ Timestamp: 2022-08-23 13:39:59Z
│ To re-authenticate, please run:
│ az login --scope https://graph.microsoft.com//.default
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on tf1-provider.tf line 48, in provider "azurerm":
│ 48: provider "azurerm" {
az login is already done (below, ids removed).
Update
It turns out its something to do with az auth. When I ran
az ad sp list --all
I got exactly the same message.
Then I ran
az login --scope https://graph.microsoft.com//.default
as suggested. Then it asked me to run
az login --tenant <tenantId>
And this time it logged me in after two factor(mobile OTP). Then finally this error went away.
Did not understand fully, but thats how I resolved it for now.
The Azure AD error AADSTS50076 is thrown whenever MFA is required. In order to prompt MFA you need to re-authenticate interactively which is what you just did.
If you were not facing this issue before it's because MFA was not enabled or was not required but now it is. You will need to reach the a tenant admin to get more information about such setup.
For more information about Azure AD errors take a look to Azure AD Authentication and authorization error codes.
I am following the instructions on http://beta.appinventor.mit.edu/learn/reference/other/tinywebdb.html , trying to create a custom TinyWebDB for a grade 10 class I teach. After creating a new Project (the instructions say create an Application, but I only see a Create a new project button), I change the project name in the local file app.yaml file, load it in, and click on Deploy. I get the following error message:
Starting update of app: npicswebdb, version: 1
01:35 PM Getting current resource limits.
2016-03-09 13:35:26,727 ERROR appcfg.py:2396 An error occurred processing file '': HTTP Error 403: Forbidden Unexpected HTTP status 403. Aborting.
Error 403: --- begin server output ---
You do not have permission to modify this app (app_id=u's~npicswebdb').
--- end server output ---
2016-03-09 13:35:26 (Process exited with code 1)
Is there some way I need to log in to the App Engine Launcher so it connects with my App Engine in the cloud? There is nothing in the instructions about doing that, and I don't see any way to do that in the launcher.
Thanks for your help.
Try adding "--no_cookies":
appcfg.py -A projectname update app.yaml --no_cookies
Delete cookie file something like this: ~/.appcfg_oauth2_tokens_java.
Re-run your command, it will prompt to login from browser and copy-paste a token back to the terminal.
Similar to the other answers. I run into the same issue and removing those stored credentials helped me, i.e:
rm ~/.appcfg_oauth2_tokens_java
rm ~/.appcfg_cookies
Found more details here: IT Code Hub - AppEngine deployment
This has worked for years. Today is not working.
Running appcfg.py download_data --flags..., and cannot get properly authorized.
Ran gcloud auth login
and got back:
Saved Application Default Credentials.
You are now logged in as [correct#gmail.com].
Your current project is [correct].
but when I run appcfg.py download_data ... I get this error:
raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)
oauth2client.client.ApplicationDefaultCredentialsError: The
Application Default Credentials are not available. They are available if
running in Google Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See
https://developers.google.com/accounts/docs/application-default
credentials for more information.
I updated the Google Cloud SDK, and now get a different error:
client.py:539 Attempting refresh to obtain initial access_token
client.py:797 Refreshing access_token
Error 302: --- begin server output ---
--- end server output ---
I have also set the credentials in Terminal:
set GOOGLE_APPLICATION_CREDENTIALS "https://www.myurl/credentials.json"
set CLOUDSDK_PYTHON_SITEPACKAGES 1
gcloud config set project "correct_project_name"
I have also tried setting the env_variable flag in the appcfg command:
--env_variable=GOOGLE_APPLICATION_CREDENTIALS:"https://www.myurl/credentials.json"
Seems to be a GAE bug. Removing the login:admin from the remote_api handler in app.yaml fixes it in production, but not local dev server. The 302 was telling me that the app was trying to redirect, perhaps to a Google login page. Was never seeing the prompt asking for email and password.
handlers:
- url: /remote_api
script: google.appengine.ext.remote_api.handler.application
#login: admin <-- removing admin fixes it in production
secure: always
On the dev server, removing the admin login yields this:
client.py:797 Refreshing access_token
Error 401: --- begin server output ---
You must be logged in as an administrator to access this.
--- end server output ---
Did Google change something in the --oauth2 workflow? I appear to be authorized, but the download crashes at the auth step.
Thanks.
Seems to be a bug in GoogleAppEngineLauncher-1.9.27, where it does not allow a login prompt. When reverting back to 1.9.26, it works. Interestingly, my gcloud components still have the 1.9.27 version:
>$ gcloud version
Google Cloud SDK 0.9.83
alpha 2015.10.08
app 2015.10.16
app-engine-python 1.9.27
beta 2015.10.08
core 2015.10.16
core-nix 2015.09.03
gcloud 2015.10.16
temporary solution: go to https://console.developers.google.com/storage/browser/appengine-sdks/featured/ to get version 1.9.26
Submitted bug report: https://code.google.com/p/google-cloud-sdk/issues/detail?id=340
I've download google app engine (python) for windows and install it. Then I went to console.developers.google.com/project and create new project. After that, I launched google app engine launcher, create new application and named it as project I have recently create. I click on deploy and constantly getting this error:
03:35 PM Application: udacity-hello-pozdrav; version: 1
03:35 PM Host: appengine.google.com
03:35 PM
Starting update of app: udacity-hello-pozdrav, version: 1
03:35 PM Getting current resource limits.
Password for t******.****#gmail.com: Invalid username or password.
2014-09-06 15:35:56,690 ERROR appcfg.py:2411 An error occurred processing file '': HTTP Error 401: Unauthorized. Aborting.
Error 401: --- begin server output ---
Must authenticate first.
--- end server output ---
2014-09-06 15:35:56 (Process exited with code 1)
You can close this window now.
I've read about appcfg.py but when I enter it in cmd, It says that it's not recognized.
Would be much better if you will use appcfg.py with --oauth2 flag.
Like appcfg.py --oauth2 update /path/to/your/app.
For the first time you will see the browser window where you'll need to allow access to your account. Then you can deploy without entering any credentials and without confirmations. This will work even with 2-step authentication turned on.
The "Invalid username or password" error is due to Google security protection. To overcome this error message and be able to deploy from the Launcher, go to your Google Account Settings, then enable "Access for Less Secure Apps" under Security Check Up.
I am attempting to get up and running with Google Compute Engine and am following the getting started/hello world tutorial. After installing gcutil (running OSx) and Authenticating to Google Compute Engine the instruction is to pass the following command
$ gcutil getproject --project=<project-id> --cache_flag_values
However the following error message is returned
Error: The resource 'projects/<project-id>' was not found
Where project-id is the id of the project authenticated earlier. If I then try to execute any of the following commands in the tutorial (but including the project-id because cashing the value failed) e.g.
$ gcutil addfirewall http2 --project=<project-id> --description="Incoming http allowed." --allowed="tcp:http"
The same error gets returned.
I am working in the $HOME directory (the same directory that contains the gcutil-1.8.0 folder).
Could someone please tell me why I'm getting the projects not found error, and if possible how to overcome it?
Visit your project's "Compute Engine" page once, then run the command again:
$ gcutil getproject --project=<project-id> --cache_flag_values
for me. it works.
You must first enable billing in order to use Compute Engine.
https://console.developers.google.com/billing
Often you'll see this error when there is an authentication/authorization failure.
Make sure you ensure that the user account gcutil is authorized as matches a user account listed in the teams section of the (Cloud Console)[https://cloud.google.com/console]. You can find that under the gear icon in the upper right corner.
To confirm which account is being used by gcutil, run the following command:
$ gcutil auth --confirm_email --just_check_auth
INFO: Authorization succeeded for user xxx#xxx.com
If you find that you are authorized under the wrong account (multiple personas in chrome, for example) you can reauthorize gcutil with:
$ gcutil auth
Make sure that you follow this link in the right browser tab/context.
You can Used Two Steps:
Step 1: You will enable billing in order to use Compute Engine.
Step 2: And visit your project's Compute Engine page once, then run the command again.
it works Fine for me.