OIDC login to US Gov Cloud fails when AzPSSession is enabled

[ty-whit-2]

I am opening this ticket to combine the requests of a couple of previously closed tickets.

The first issue #248 was raised over a year ago reporting the exact same behavior as what I am seeing currently. Specifically, I am attempting to log in a federated credential on a user-managed identity. I'm getting the same set of errors shown in the screenshot on that image. Specifically

Issue #248 was closed because this action did not support OIDC login to Government clouds at that time. However, pull request #321 has since resolved that incompatibility.

The second issue is #298, which was closed in May of this year due to pr #321 being merged. However, as was called out by @danelson after #298 was closed, pr #321 does not add support for OIDC login with enable-AzPSSession: true. I can confirm #321 does seem to log in when enable-AzPSSession: false or left at default when using the same credentials.

Workflow code:

name: Test Azure powershell login with OIDC

on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  test-oidc-login-ps:
    runs-on: ubuntu-latest
    environment: beta # valid environment
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1 
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        environment: 'AzureUSGovernment'
        enable-AzPSSession: true # works if this is not included     

[YanaXu]

Hi @TylerWhitaker-USDA ,

Let me confirm your issue. It only happens when login with OIDC (with user-assigned managed identity) and

• environment: 'AzureUSGovernment'
• enable-AzPSSession: true

Is it correct?

[ty-whit-2]

I have not had the chance to do extensive testing on other configurations. I have only had the chance to test OIDC and 'AzureUSGovernment' as a constant while varying enable-AzPSSession. While 'true', login fails. While 'false', login succeeds.

[danelson]

I can also confirm that behavior. @TylerWhitaker-USDA I don't know if it helps you but as a workaround I am doing the following (note the Get sp secret step is untested because I do this in an internal action). Since I use user/password auth in other places this allows me to remove the need to store the credential in a github secret.

login:
    runs-on: ubuntu-latest
    environment: my_environment
    steps:
      - uses: azure/login@v1
        with:
          client-id: ${{ vars.SP_CLIENT_ID }}
          tenant-id: ${{ vars.AZURE_TENANT_ID }}
          allow-no-subscriptions: true
          environment: ${{ vars.AZURE_ENVIRONMENT }}

      # https://github.com/Azure/get-keyvault-secrets/issues/33#issuecomment-1219146161
      - name: Get sp secret
        id: keyvault
        run: |
          value=$(az keyvault secret show --name sp-secret --vault-name ${{ vars.KEY_VAULT }} --query value --output tsv)
          echo "::add-mask::$value"
          echo "::set-output name=sp-secret::$value"
    
      - uses: azure/login@v1
        with:
          creds: |
            {
              "clientId": "${{ vars.SP_CLIENT_ID }}",
              "clientSecret": "${{ steps.keyvault.outputs.sp-secret}}",
              "subscriptionId": "${{ vars.AZURE_SUBSCRIPTION_ID }}",
              "tenantId": "${{ vars.AZURE_TENANT_ID }}"
            }
          environment: ${{ vars.AZURE_ENVIRONMENT }}
          enable-AzPSSession: true

[YanaXu]

Hi @TylerWhitaker-USDA , I don't have an account for US Gov Cloud. Could you help me run the test workflow file and copy the output debug log to me?

@danelson I saw your workflow file is without subscription id but it's similar. Could you update my test workflow file accordingly and copy your output to me too?

name: Test OIDC
on: [push, workflow_dispatch]

permissions:
  id-token: write
  contents: read

jobs: 
  test-oidc:
    runs-on: ubuntu-latest
    steps:

    - name: GetToken
      uses: actions/github-script@v3
      with:
        script: |
          const idToken = await core.getIDToken('api://AzureADTokenExchange')
          core.exportVariable('idToken', idToken)

    - name: Run Azure PowerShell
      uses: azure/powershell@v1.3.0
      env:
        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
        AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      with:
        azPSVersion: "latest"
        inlineScript: |
            $AZURE_TENANT_ID = $env:AZURE_TENANT_ID
            $AZURE_SUBSCRIPTION_ID = $env:AZURE_SUBSCRIPTION_ID
            $AZURE_CLIENT_ID = $env:AZURE_CLIENT_ID
            $idToken = $env:idToken
            
            Clear-AzContext -Scope Process
            Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
            
            Connect-AzAccount -ServicePrincipal -ApplicationId $AZURE_CLIENT_ID -Tenant $AZURE_TENANT_ID -FederatedToken $idToken -Environment 'AzureUSGovernment'
            Set-AzContext -SubscriptionId $AZURE_SUBSCRIPTION_ID -TenantId $AZURE_TENANT_ID
            
            Get-AzContext

[samanthawalter]

@YanaXu I was able to run your test script with some modifications (like installing the Az.Account module). It ran into the same error when executing Connect-AzAccount:

AADSTS900382: Confidential Client is not supported in Cross Cloud request. Trace ID: xxx Correlation ID: xxx Timestamp: 2023-11-29 21:16:03Z Could not find tenant id for provided tenant domain 'my-us-gov-azure-tenant-id'.

[YanaXu]

Hi @samanthawalter, could you share your workflow file and the debug log with me? Which step throws the error? GetToken or Run Azure PowerShell?

[tajatassi]

@YanaXu I ran the following script and ran into the same error as @samanthawalter

    - name: GetToken
      uses: actions/github-script@v3
      with:
        script: |
          const idToken = await core.getIDToken('api://AzureADTokenExchange')
          core.exportVariable('idToken', idToken)

    - name: Run Azure PowerShell
      uses: azure/powershell@v1.3.0
      env:
        AZURE_TENANT_ID: ${{ inputs.azure-tenant-id }}
        AZURE_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }}
        AZURE_CLIENT_ID: ${{ inputs.azure-client-id }}
      with:
        azPSVersion: "latest"
        inlineScript: |
            $AZURE_TENANT_ID = $env:AZURE_TENANT_ID
            $AZURE_SUBSCRIPTION_ID = $env:AZURE_SUBSCRIPTION_ID
            $AZURE_CLIENT_ID = $env:AZURE_CLIENT_ID
            $idToken = $env:idToken
            
            Clear-AzContext -Scope Process
            Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
            
            Connect-AzAccount -ServicePrincipal -ApplicationId $AZURE_CLIENT_ID -Tenant $AZURE_TENANT_ID -FederatedToken $idToken -Environment 'AzureUSGovernment'
            Set-AzContext -SubscriptionId $AZURE_SUBSCRIPTION_ID -TenantId $AZURE_TENANT_ID
            
            Get-AzContext

It looks like it failed on the line
Connect-AzAccount -ServicePrincipal -ApplicationId $AZURE_CLIENT_ID -Tenant $AZURE_TENANT_ID -FederatedToken $idToken -Environment 'AzureUSGovernment'

Error Message:

Line |
  10 |  Connect-AzAccount -ServicePrincipal -ApplicationId $AZURE_CLIENT_ID - …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | AADSTS900382: Confidential Client is not supported in Cross Cloud
     | request. Trace ID: {GUID} Correlation ID:
     | {GUID} Timestamp: {TS}
     | Could not find tenant id for provided tenant domain
     | '***'.

Here is the uploaded debug output:
DebugOutput.txt

[YanaXu]

Hi @tajatassi , thanks for your help. I've reported an issue in Azure PowerShell repo: [Az.Accounts] Connect-AzAccount -- Failed login to AzureUSGovernment with OIDC