Deployment pipeline suddenly stopped working -- probably something to do with AAD and service connection

Richard Barraclough 6 Reputation points
2023-09-07T16:57:40.0033333+00:00

I have an Azure deployment pipeline with an AzureCLI job that runs a PowerShell script to execute DbUp.

steps:
- task: AzureCLI@2
  displayName: 'Execute DbUp'
  inputs:
    azureSubscription: 'whatever-int'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     echo "Running migrations through DbUp..."
     
     # az login --use-device-code
     
     dotnet Whatever.Migrations.dll "Server=whatever-int-sql-server.database.windows.net;Database=Whatever;Authentication=Active Directory Default;" IncludeTestData
     
     echo "DbUp migration stage complete."
    workingDirectory: '$(System.DefaultWorkingDirectory)/_Whatever/Artifacts/Whatever.Migrations'

Where the dll being run is a console app whose first parameter is the connection string.

I spent ages working around with AAD to get this to work, but it has suddenly stopped working.

2023-09-07T13:37:36.7224310Z ##[section]Starting: Execute DbUp
2023-09-07T13:37:36.7337976Z ==============================================================================
2023-09-07T13:37:36.7338153Z Task         : Azure CLI
2023-09-07T13:37:36.7338214Z Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
2023-09-07T13:37:36.7338412Z Version      : 2.225.0
2023-09-07T13:37:36.7338487Z Author       : Microsoft Corporation
2023-09-07T13:37:36.7338560Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
2023-09-07T13:37:36.7338668Z ==============================================================================
2023-09-07T13:37:39.6621894Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" --version"
2023-09-07T13:38:10.6539822Z WARNING: You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'
2023-09-07T13:38:10.6540311Z azure-cli                         2.51.0 *
2023-09-07T13:38:10.6540677Z 
2023-09-07T13:38:10.6540882Z core                              2.51.0 *
2023-09-07T13:38:10.6541077Z telemetry                          1.1.0
2023-09-07T13:38:10.6541254Z 
2023-09-07T13:38:10.6541425Z Extensions:
2023-09-07T13:38:10.6541696Z azure-devops                      0.26.0
2023-09-07T13:38:10.6541823Z 
2023-09-07T13:38:10.6542004Z Dependencies:
2023-09-07T13:38:10.6542187Z msal                            1.24.0b1
2023-09-07T13:38:10.6542464Z azure-mgmt-resource             23.1.0b2
2023-09-07T13:38:10.6542597Z 
2023-09-07T13:38:10.6542921Z Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
2023-09-07T13:38:10.6543309Z Extensions directory 'C:\Program Files\Common Files\AzureCliExtensionDirectory'
2023-09-07T13:38:10.6543498Z 
2023-09-07T13:38:10.6543808Z Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)]
2023-09-07T13:38:10.6544205Z 
2023-09-07T13:38:10.6544405Z Legal docs and information: aka.ms/AzureCliLegal
2023-09-07T13:38:10.6544549Z 
2023-09-07T13:38:10.6544669Z 
2023-09-07T13:38:10.6565586Z Setting AZURE_CONFIG_DIR env variable to: D:\a\_temp\.azclitask
2023-09-07T13:38:10.6572262Z Setting active cloud to: AzureCloud
2023-09-07T13:38:10.7292231Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" cloud set -n AzureCloud"
2023-09-07T13:38:45.7650441Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" login --service-principal -u *** "--password=***" --tenant bb0ba424-4ea6-44b8-a0a4-fb7656270d67 --allow-no-subscriptions"
2023-09-07T13:38:47.3363882Z [
2023-09-07T13:38:47.3438157Z   {
2023-09-07T13:38:47.3535692Z     "cloudName": "AzureCloud",
2023-09-07T13:38:47.3552649Z     "homeTenantId": "bb0ba424-...",
2023-09-07T13:38:47.4391722Z     "id": "335d6548-...",
2023-09-07T13:38:47.4417683Z     "isDefault": true,
2023-09-07T13:38:47.4462015Z     "managedByTenants": [],
2023-09-07T13:38:47.4462745Z     "name": "Azure Subscription",
2023-09-07T13:38:47.4465494Z     "state": "Enabled",
2023-09-07T13:38:47.4846066Z     "tenantId": "bb0ba424-4...",
2023-09-07T13:38:47.5286039Z     "user": {
2023-09-07T13:38:47.5293672Z       "name": "***",
2023-09-07T13:38:47.5347418Z       "type": "servicePrincipal"
2023-09-07T13:38:47.5349374Z     }
2023-09-07T13:38:47.5349892Z   }
2023-09-07T13:38:47.5350681Z ]
2023-09-07T13:38:47.5356564Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account set --subscription 335d6548-abdc-4fd4-b313-e8c7ab8357c6"
2023-09-07T13:38:47.8641594Z [command]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscript1694093859559.ps1'"
2023-09-07T13:38:48.2946160Z Running migrations through DbUp...
2023-09-07T13:38:55.3148960Z   Server: whatever-int-sql-server.database.windows.net
2023-09-07T13:38:55.3149483Z Database: Whatever
2023-09-07T13:38:55.5217930Z Test data scripts will be executed as part of the upgrade.
2023-09-07T13:38:59.4790189Z Upgrade failed due to an unexpected exception:
2023-09-07T13:38:59.4791423Z Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
2023-09-07T13:38:59.4794892Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_request","error_description":"Identity not found"}
2023-09-07T13:38:59.4796660Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Users\VssAdministrator\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json"
2023-09-07T13:38:59.4798171Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
2023-09-07T13:38:59.4799442Z operable program or batch file.
2023-09-07T13:38:59.4800051Z 
2023-09-07T13:38:59.4800104Z 
2023-09-07T13:38:59.4800380Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthResultAsyncImpl(String resource, String authority, CancellationToken cancellationToken)
2023-09-07T13:38:59.4801037Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthenticationResultAsync(String resource, String tenantId, CancellationToken cancellationToken)
2023-09-07T13:38:59.4801452Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId, CancellationToken cancellationToken)
2023-09-07T13:38:59.4802134Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId)
2023-09-07T13:38:59.4803883Z    at DbUp.SqlServer.AzureSqlConnectionManager.<>c__DisplayClass2_0.<.ctor>b__0(IUpgradeLog log, DatabaseConnectionManager dbManager)
2023-09-07T13:38:59.4804994Z    at DbUp.Engine.Transactions.DelegateConnectionFactory.CreateConnection(IUpgradeLog upgradeLog, DatabaseConnectionManager databaseConnectionManager)
2023-09-07T13:38:59.4807552Z    at DbUp.Engine.Transactions.DatabaseConnectionManager.CreateConnection(IUpgradeLog upgradeLog)
2023-09-07T13:38:59.4808177Z    at DbUp.Engine.Transactions.DatabaseConnectionManager.OperationStarting(IUpgradeLog upgradeLog, List`1 executedScripts)
2023-09-07T13:38:59.4808649Z    at DbUp.Engine.UpgradeEngine.PerformUpgrade()
2023-09-07T13:38:59.4809028Z Upgrade failed due to an unexpected exception:
2023-09-07T13:38:59.4809661Z Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
2023-09-07T13:38:59.4811197Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_request","error_description":"Identity not found"}
2023-09-07T13:38:59.4813088Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Users\VssAdministrator\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json"
2023-09-07T13:38:59.4814304Z Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
2023-09-07T13:38:59.4814898Z operable program or batch file.
2023-09-07T13:38:59.4815224Z 
2023-09-07T13:38:59.4815464Z 
2023-09-07T13:38:59.4816103Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthResultAsyncImpl(String resource, String authority, CancellationToken cancellationToken)
2023-09-07T13:38:59.4816768Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAuthenticationResultAsync(String resource, String tenantId, CancellationToken cancellationToken)
2023-09-07T13:38:59.4817408Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId, CancellationToken cancellationToken)
2023-09-07T13:38:59.4819125Z    at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId)
2023-09-07T13:38:59.4820031Z    at DbUp.SqlServer.AzureSqlConnectionManager.<>c__DisplayClass2_0.<.ctor>b__0(IUpgradeLog log, DatabaseConnectionManager dbManager)
2023-09-07T13:38:59.4820538Z    at DbUp.Engine.Transactions.DelegateConnectionFactory.CreateConnection(IUpgradeLog upgradeLog, DatabaseConnectionManager databaseConnectionManager)
2023-09-07T13:38:59.4820972Z    at DbUp.Engine.Transactions.DatabaseConnectionManager.CreateConnection(IUpgradeLog upgradeLog)
2023-09-07T13:38:59.4822898Z    at DbUp.Engine.Transactions.DatabaseConnectionManager.OperationStarting(IUpgradeLog upgradeLog, List`1 executedScripts)
2023-09-07T13:38:59.4823415Z    at DbUp.Engine.UpgradeEngine.PerformUpgrade()
2023-09-07T13:38:59.4904752Z DbUp migration stage complete.
2023-09-07T13:38:59.6208101Z ##[error]Script failed with exit code: 1
2023-09-07T13:38:59.6351326Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"
2023-09-07T13:39:00.3807895Z ##[section]Finishing: Execute DbUp

The "Identity not found" thing seems to me to be the most relevant thing, but what identity and where wasn't it found? As far as I can tell -- and it's pretty fucking opaque with AAD -- there is an AAD user thingy for the whatsit and a corresponding LOGIN on the database server.

Or is it time to dump AAD and just put the username and password into the PowerShell script?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
{count} votes