Search-AzGraph "Your Azure credentials have not been set up or have expired" in GitHub Actions

[rwaal]

Description

The Search-AzGraph command consistently throws an error in a GitHub Actions workflow:

Your Azure credentials have not been set up or have expired, please run
     | Connect-AzAccount to set up your Azure credentials. No certificate
     | thumbprint or secret provided for the given service principal
     | '***'.

I am not sure if this problem is related to a bug in the Search-AzGraph command, the Az.ResourceGraph module or perhaps in the azure/login@v1 GitHub Action. I can only reproduce it when running this command in a script on GitHub Actions. On my local machine, this script works without problems, using the same module versions.

GitHub workflow

The GitHub workflow is as follows

---
on:
  workflow_dispatch:
    inputs:
      Environment:
        type: choice
        options:
          - nonprd
          - prd
        description: "nonprd or prd environments"
        required: true

jobs:
  execution:
    name: Test
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Login to Azure
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
          enable-AzPSSession: true

      - name: Query and update
        id: queryupdate
        uses: azure/powershell@v1
        with:
          inlineScript: | 
            Test.ps1 -Environment ${{ github.event.inputs.Environment }}
          azPSVersion: latest

As you can see in the workflow definition, I am using traditional SPN-based authentication. I use the same credentials in other workflows that use Azure PowerShell cmdlets, which work just fine.

Issue script & Debug output

# The output below is the output from the GitHub Actions workflow, where I only took the output from the "Login to Azure" and "Query and update" steps.

2023-01-20T09:40:16.2502792Z ##[group]Run azure/login@v1
2023-01-20T09:40:16.2503141Z with:
2023-01-20T09:40:16.2504629Z   creds: ***
2023-01-20T09:40:16.2504955Z   enable-AzPSSession: true
2023-01-20T09:40:16.2505304Z   environment: azurecloud
2023-01-20T09:40:16.2505658Z   allow-no-subscriptions: false
2023-01-20T09:40:16.2506046Z   audience: api://AzureADTokenExchange
2023-01-20T09:40:16.2506408Z ##[endgroup]
2023-01-20T09:40:21.5219545Z [command]/usr/bin/az cloud set -n azurecloud
2023-01-20T09:40:25.9521536Z Done setting cloud: "azurecloud"
2023-01-20T09:40:25.9524275Z Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.
2023-01-20T09:40:29.0601716Z Running Azure PS Login
2023-01-20T09:40:29.0630053Z [command]/usr/bin/pwsh -Command try ***
2023-01-20T09:40:29.0630823Z             $ErrorActionPreference = "Stop"
2023-01-20T09:40:29.0631826Z             $WarningPreference = "SilentlyContinue"
2023-01-20T09:40:29.0632456Z             $output = @***
2023-01-20T09:40:29.0633255Z             $data = Get-Module -Name Az.Accounts -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1
2023-01-20T09:40:29.0633940Z             $output['AzVersion'] = $data.Version.ToString()
2023-01-20T09:40:29.0634415Z             $output['Success'] = "true"
2023-01-20T09:40:29.0634767Z         ***
2023-01-20T09:40:29.0635066Z         catch ***
2023-01-20T09:40:29.0635502Z             $output['Error'] = $_.exception.Message
2023-01-20T09:40:29.0635882Z         ***
2023-01-20T09:40:29.0636269Z         return ConvertTo-Json $output
2023-01-20T09:40:50.1963116Z ***
2023-01-20T09:40:50.1963763Z   "Success": "true",
2023-01-20T09:40:50.1964713Z   "AzVersion": "2.11.1"
2023-01-20T09:40:50.1965566Z ***
2023-01-20T09:40:50.3546699Z [command]/usr/bin/pwsh -Command try ***
2023-01-20T09:40:50.3593965Z             $ErrorActionPreference = "Stop"
2023-01-20T09:40:50.3594467Z             $WarningPreference = "SilentlyContinue"
2023-01-20T09:40:50.3594931Z             $output = @***
2023-01-20T09:40:50.3595426Z             Clear-AzContext -Scope Process;
2023-01-20T09:40:50.3597265Z              Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;Connect-AzAccount -ServicePrincipal -Tenant '***' -Credential                 (New-Object System.Management.Automation.PSCredential('***',(ConvertTo-SecureString '***' -AsPlainText -Force)))                     -Environment 'azurecloud' | out-null;Set-AzContext -SubscriptionId '***' -TenantId '***' | out-null;
2023-01-20T09:40:50.3598268Z             $output['Success'] = "true"
2023-01-20T09:40:50.3598618Z         ***
2023-01-20T09:40:50.3598921Z         catch ***
2023-01-20T09:40:50.3599351Z             $output['Error'] = $_.exception.Message
2023-01-20T09:40:50.3599739Z         ***
2023-01-20T09:40:50.3600115Z         return ConvertTo-Json $output
2023-01-20T09:40:57.9830946Z ***
2023-01-20T09:40:57.9831521Z   "Success": "true"
2023-01-20T09:40:57.9832006Z ***
2023-01-20T09:40:58.0718162Z Azure PowerShell session successfully initialized
2023-01-20T09:40:58.0718834Z Login successful.

2023-01-20T09:40:58.0881680Z ##[group]Run azure/powershell@v1
2023-01-20T09:40:58.0882049Z with:
2023-01-20T09:40:58.0882470Z   inlineScript: $DebugPreference='Continue'; ./Test.ps1 -Environment nonprd
2023-01-20T09:40:58.0882935Z   azPSVersion: latest
2023-01-20T09:40:58.0883291Z   errorActionPreference: Stop
2023-01-20T09:40:58.0883667Z   failOnStandardError: false
2023-01-20T09:40:58.0884176Z   githubToken: ***
2023-01-20T09:40:58.0884498Z env:
2023-01-20T09:40:58.0884810Z   AZURE_HTTP_USER_AGENT: 
2023-01-20T09:40:58.0885165Z   AZUREPS_HOST_ENVIRONMENT: 
2023-01-20T09:40:58.0885529Z ##[endgroup]
2023-01-20T09:40:58.1738571Z Validating inputs
2023-01-20T09:40:58.1781593Z Module Az latest installed from hostedAgentFolder
2023-01-20T09:40:58.1783496Z Initializing Az Module
2023-01-20T09:40:58.1829547Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command Test-Path (Join-Path /usr/share az_*)
2023-01-20T09:40:58.1873533Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command try ***
2023-01-20T09:40:58.1874082Z             $ErrorActionPreference = "Stop"
2023-01-20T09:40:58.1874584Z             $WarningPreference = "SilentlyContinue"
2023-01-20T09:40:58.1875009Z             $output = @***
2023-01-20T09:40:58.1875844Z             $data = Get-Module -Name Az -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1
2023-01-20T09:40:58.1876566Z             $output['AzVersion'] = $data.Version.ToString()
2023-01-20T09:40:58.1877123Z             $output['Success'] = "true"
2023-01-20T09:40:58.1877570Z         ***
2023-01-20T09:40:58.1877956Z         catch ***
2023-01-20T09:40:58.1878723Z             $output['Error'] = $_.exception.Message
2023-01-20T09:40:58.1879201Z         ***
2023-01-20T09:40:58.1879698Z         return ConvertTo-Json $output
2023-01-20T09:40:58.6253882Z True
2023-01-20T09:40:59.3214572Z ***
2023-01-20T09:40:59.3215373Z   "Success": "true",
2023-01-20T09:40:59.3216092Z   "AzVersion": "9.2.0"
2023-01-20T09:40:59.3216626Z ***
2023-01-20T09:40:59.3756491Z Initializing Az Module Complete
2023-01-20T09:40:59.3757576Z Running Az PowerShell Script
2023-01-20T09:40:59.3772815Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command /home/runner/work/_temp/f23c13f8-863f-40cb-8804-f6e3968ec43b.ps1
2023-01-20T09:41:13.7740440Z �[33;1mDEBUG: Sought all Az modules and got latest version 9.2.0�[0m
2023-01-20T09:41:13.7784941Z �[33;1mDEBUG: 09:41:13 - SearchAzureRmGraph begin processing with ParameterSet 'TenantScopedQuery'.�[0m
2023-01-20T09:41:13.7786292Z �[33;1mDEBUG: 09:41:13 - using account id '***'...�[0m
2023-01-20T09:41:13.7880864Z �[33;1mDEBUG: 09:41:13 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].�[0m
2023-01-20T09:41:13.8088181Z �[33;1mDEBUG: [Common.Authentication]: Authenticating using Account: '***', environment: 'AzureCloud', tenant: '***'�[0m
2023-01-20T09:41:13.8089757Z �[33;1mDEBUG: [Common.Authentication]: Received exception No certificate thumbprint or secret provided for the given service principal '***'., while authenticating.�[0m
2023-01-20T09:41:13.8091062Z �[33;1mDEBUG: 09:41:13 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].�[0m
2023-01-20T09:41:13.8892843Z �[31;1mSearch-AzGraph: �[0m/home/runner/work/ah-tech-enablement-landingzones/ah-tech-enablement-landingzones/Test.ps1:20
2023-01-20T09:41:13.8893752Z �[36;1mLine |
2023-01-20T09:41:13.8894430Z �[36;1m  20 | �[0m �[36;1mSearch-AzGraph -query $query -UseTenantScope�[0m
2023-01-20T09:41:13.8895154Z �[36;1m     | �[31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-01-20T09:41:13.8895983Z �[31;1m�[36;1m     | �[31;1mYour Azure credentials have not been set up or have expired, please run
2023-01-20T09:41:13.8896831Z �[36;1m     | �[31;1mConnect-AzAccount to set up your Azure credentials. No certificate
2023-01-20T09:41:13.8897674Z �[36;1m     | �[31;1mthumbprint or secret provided for the given service principal
2023-01-20T09:41:13.8898480Z �[36;1m     | �[31;1m'***'.
2023-01-20T09:41:13.8899328Z �[0m
2023-01-20T09:41:13.9774166Z ##[error]Error: The process '/usr/bin/pwsh' failed with exit code 1

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.8
PSEdition                      Core
GitCommitId                    7.2.8
OS                             Linux 5.15.0-1031-azure #38-Ubuntu SMP Mon Jan …
Platform                       Unix
PSCompatibleVersions           ***1.0, 2.0, 3.0, 4.0…***
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCo
                                                                     mmands
---------- -------    ---------- ----                                ----------
Script     2.9.1                 Az.Accounts                         ***Add-AzEn…
Script     0.13.0                Az.ResourceGraph                    ***Search-A…

Error output

DEBUG: 10:03:32 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 10:03:32 - using account id '***'...
DEBUG: 10:03:32 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 1

Message        : Your Azure credentials have not been set up or have expired, p
                 lease run Connect-AzAccount to set up your Azure credentials.
                 No certificate thumbprint or secret provided for the given ser
                 vice principal '***'.
StackTrace     :    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.GetServiceClientCredentials(IAzureConte
                 xt context, String targetEndpoint, String resourceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.GetServiceClientCredentials(IAzureConte
                 xt context, String targetEndpoint)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .ClientFactory.CreateArmClient[TClient](IAzureContext context,
                  String endpoint)
                    at Microsoft.Azure.Commands.ResourceGraph.Utilities.Resourc
                 eGraphBaseCmdlet.get_ResourceGraphClient()
                    at Microsoft.Azure.Commands.ResourceGraph.Cmdlets.SearchAzu
                 reRmGraph.ExecuteCmdlet()
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSArgumentExcepti
                 on
InvocationInfo : ***Search-AzGraph***
Line           : Search-AzGraph -query $query -UseTenantScope -ErrorAction 'Sil
                 entlyContinue'
                 
Position       : At /home/runner/work/ah-tech-enablement-landingzones/ah-tech-e
                 nablement-landingzones/Test.ps1:20 char:1
                 + Search-AzGraph -query $query -UseTenantScope -ErrorAction 'S
                 ilentlyCo …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ~~~~~~~~~
HistoryId      : 1

Message        : No certificate thumbprint or secret provided for the given ser
                 vice principal '***'.
StackTrace     :    at Microsoft.Azure.PowerShell.Authenticators.ServicePrincip
                 alAuthenticator.Authenticate(AuthenticationParameters paramete
                 rs, CancellationToken cancellationToken)
                    at Microsoft.Azure.Commands.Common.Authentication.Delegatin
                 gAuthenticator.TryAuthenticate(AuthenticationParameters parame
                 ters, CancellationToken cancellationToken, Task`1& token)
                    at Microsoft.Azure.Commands.Common.Authentication.Delegatin
                 gAuthenticator.TryAuthenticate(AuthenticationParameters parame
                 ters, CancellationToken cancellationToken, Task`1& token)
                    at Microsoft.Azure.Commands.Common.Authentication.Delegatin
                 gAuthenticator.TryAuthenticate(AuthenticationParameters parame
                 ters, CancellationToken cancellationToken, Task`1& token)
                    at Microsoft.Azure.Commands.Common.Authentication.Delegatin
                 gAuthenticator.TryAuthenticate(AuthenticationParameters parame
                 ters, CancellationToken cancellationToken, Task`1& token)
                    at Microsoft.Azure.Commands.Common.Authentication.Delegatin
                 gAuthenticator.TryAuthenticate(AuthenticationParameters parame
                 ters, Task`1& token)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.Authenticate(IAzureAccount account, IAz
                 ureEnvironment environment, String tenant, SecureString passwo
                 rd, String promptBehavior, Action`1 promptAction, IAzureTokenC
                 ache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.Authenticate(IAzureAccount account, IAz
                 ureEnvironment environment, String tenant, SecureString passwo
                 rd, String promptBehavior, Action`1 promptAction, String resou
                 rceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories
                 .AuthenticationFactory.GetServiceClientCredentials(IAzureConte
                 xt context, String targetEndpoint, String resourceId)
Exception      : Microsoft.Identity.Client.MsalException
InvocationInfo : ***Search-AzGraph***
Line           : Search-AzGraph -query $query -UseTenantScope -ErrorAction 'Sil
                 entlyContinue'
                 
Position       : At /home/runner/work/ah-tech-enablement-landingzones/ah-tech-e
                 nablement-landingzones/Test.ps1:20 char:1
                 + Search-AzGraph -query $query -UseTenantScope -ErrorAction 'S
                 ilentlyCo …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 ~~~~~~~~~
HistoryId      : 1

[pvannoort]

Same error with Get-AzKeyVaultSecret when it uses Az.Accounts: Version 2.11.1 (and Az.KeyVault: Version 4.9.1)
It works fine with Az.Accounts: Version 2.10.4 (and Az.KeyVault: Version 4.9.1)

Get-AzKeyVaultSecret : Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to
set up your Azure credentials.
No certificate thumbprint or secret provided for the given service principal '***'.

[dingmeng-xue]

@rwaal , could you help to check whether you can see the same error during other cmdlet executes such as Get-AzResourceGroup?

[rwaal]

@rwaal , could you help to check whether you can see the same error during other cmdlet executes such as Get-AzResourceGroup?

@dingmeng-xue, the Get-AzResourceGroup cmdlet runs successfully. Our team uses Azure PowerShell on GitHub Actions heavily, and this is the first time that we run into this problem. And only with the Search-AzGraph cmdlet.

[msJinLei]

@rwaal , could you help to check whether you can see the same error during other cmdlet executes such as Get-AzResourceGroup?

@dingmeng-xue, the Get-AzResourceGroup cmdlet runs successfully. Our team uses Azure PowerShell on GitHub Actions heavily, and this is the first time that we run into this problem. And only with the Search-AzGraph cmdlet.

@rwaal Could you double confirm with Az.Accounts version your are using.

Az.Accounts 2.9.1 is released half year ago.

One more question

Connect-AzAccount -ServicePrincipal -Tenant 'tenantA' -Credential                 (New-Object System.Management.Automation.PSCredential('***',(ConvertTo-SecureString '***' -AsPlainText -Force)))                     -Environment 'azurecloud' | out-null;Set-AzContext -SubscriptionId '***' -TenantId 'tenantB' | out-null;

I believe the error should be returned by this cmdlet. I would like to know whether tenantA here is the same as tenantB？
Thanks

[rwaal]

Hello @msJinLei, while looking up the version of the Az.Accounts module it seems that I can no longer reproduce the problem. I don't know if something changed on the public GitHub runners or that I have been doing something wrong the whole time. If it was me, I sincerely apologize for wasting your time.

I'll try to find out why it's now working and post my findings here. But of course you're free to close the issue if you want. Thank you.

[msJinLei]

Hello @msJinLei, while looking up the version of the Az.Accounts module it seems that I can no longer reproduce the problem. I don't know if something changed on the public GitHub runners or that I have been doing something wrong the whole time. If it was me, I sincerely apologize for wasting your time.

I'll try to find out why it's now working and post my findings here. But of course you're free to close the issue if you want. Thank you.

I will keep the issue open for few days and then you can report your findings here if applicable. Also you can create a new issue in the future if this one is closed.
Anyway welcome to communicate with us for the issue you find or anything you want to talk to us.

[isra-fel]

Hi @pvannoort were you also running the command in an GitHub action? If so, can you share the debug log with us? If not, please create a new issue. Thanks.

[isra-fel]

If the problem reproduces feel free to open another issue. Thanks

[msJinLei]

The issue is still found.
Please refer to the #21593