AzureCLICredential Error on kubelogin v0.0.19

[cezapata]

I have an Azaure Devops pipeline that uses an AAD managed identity to work alongside kubelogin's AzureCLI non interactive token login option.

An excerpt of how it is configured is:

        steps:
        - task: CmdLine@2
          displayName: 'Installs aks cli alongside kubelogin'
          inputs:
            script: 'az login --identity -u $(identity)'

        - task: CmdLine@2
          displayName: 'Installs aks cli alongside kubelogin'
          inputs:
            script: 'az aks install-cli'

        - task: CmdLine@2
          displayName: 'Gets AKS credentials and sets the k8s context'
          inputs:
            script: 'az aks get-credentials --name $(aksClusterName) --resource-group $(resourceGroupName) --overwrite-existing'

        - task: CmdLine@2
          displayName: 'Sets kubeconfig configuration'
          inputs:
            script: |
              export KUBECONFIG=~/.kube/config
              kubelogin convert-kubeconfig -l azurecli
              kubectl get no

Since version 0.0.19 came out, we have been getting an error: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account

2022-08-09T05:08:01.5080612Z ##[section]Starting: Sets kubeconfig configuration
2022-08-09T05:08:01.5090446Z ==============================================================================
2022-08-09T05:08:01.5090832Z Task         : Command line
2022-08-09T05:08:01.5091185Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2022-08-09T05:08:01.5091528Z Version      : 2.201.1
2022-08-09T05:08:01.5091767Z Author       : Microsoft Corporation
2022-08-09T05:08:01.5092149Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
2022-08-09T05:08:01.5092575Z ==============================================================================
2022-08-09T05:08:01.6777152Z Generating script.
2022-08-09T05:08:01.6816023Z ========================== Starting Command Output ===========================
2022-08-09T05:08:01.6833737Z [command]/usr/bin/bash --noprofile --norc /opt/azure-agent/_work/_temp/da2d9e71-87c6-4505-826a-43fc7118c2c1.sh
2022-08-09T05:08:02.3995748Z Error: failed to get token: expected an empty error but received: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account
2022-08-09T05:08:02.3996606Z 
2022-08-09T05:08:03.0337879Z Error: failed to get token: expected an empty error but received: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account
2022-08-09T05:08:03.0341832Z 
2022-08-09T05:08:03.5797207Z Error: failed to get token: expected an empty error but received: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account
2022-08-09T05:08:03.5798207Z 
2022-08-09T05:08:04.1139856Z Error: failed to get token: expected an empty error but received: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account
2022-08-09T05:08:04.1140417Z 
2022-08-09T05:08:04.7296711Z Error: failed to get token: expected an empty error but received: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account
2022-08-09T05:08:04.7324192Z 
2022-08-09T05:08:04.7325102Z Unable to connect to the server: getting credentials: exec: executable kubelogin failed with exit code 1
2022-08-09T05:08:04.7466262Z ##[error]Bash exited with code '1'.
2022-08-09T05:08:04.7594393Z ##[section]Finishing: Sets kubeconfig configuration

Because of the timing and the nature of the change, I suspect that this changed based on this PR: #122

To temporarily fix this, I have mended the az aks install-cli command, and I am fixing the version to the last working one for us: --kubelogin-version v0.0.18.

I would like to ask for help, a sample that could help me figure out how to get the login mechanism to work on latest. Thank you so much for your help!

[weinong]

Since kubelogin has no knowledge how azure cli is logged in with, i think the solution is simply disregard the tenant ID from input kubeconfig during the conversion. If overriding the tenant ID for different tenant is desired, add --tenant-id in conversion. For example,

az aks get-credentials -g ${RG} -n ${AKS} && kubelogin convert-kubeconfig -l azurecli --tenant-id ${TENANT_ID}

cc: @pearj about this change

[pearj]

@weinong thanks for the heads up.
I guess a limitation of this new approach is that you need to run convert-kubeconfig
after every az aks get-credentials, because if you run it at the end it will use the same tenantid for all clusters. I suppose an alternate solution could be a flag that just says to use the tenant id that is in kubeconfig. But this solution is fairly useable, so probably not worth the effort.

[weinong]

fixed in v0.0.20