Azure-pipelines-tasks: Update to Azure Powershell task breaks AzContext in background job

Created on 24 Jul 2020 · 21Comments · Source: microsoft/azure-pipelines-tasks

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: Azure Powershell

Environment

Server - Azure Pipelines or TFS on-premises?

Azure Pipelines
- If using Azure Pipelines, provide the account name, team project name, build definition name/build number:
  Account: amcsgroup
  Project: Routing
  Release definition name: routing_qa3_f0
  ReleaseId: 4612
Agent - Hosted or Private:
Hosted
- If using Hosted agent, provide agent queue name:
  Azure Pipelines

Issue Description

Since yesterday, 23rd of July, Azure Powershell tasks started failing with an error "Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials." when passing AzContext to a background job.

Task logs

[Enable debug logging and please provide the zip file containing all the logs for a speedy resolution]

Troubleshooting

Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting

Error logs

Reproduction steps:

Create a release with Azure PowerShell V4 or V5 task using the following params:
Use the following reproduction script

$Context = Get-AzContext

$ScriptBlock = {
    param($Azcontext)
    $ErrorActionPreference = "Stop"
try {
    Get-AzKeyVault -VaultName %somename% -ResourceGroupName  %some-rg% -AzureRMContext $Azcontext | Out-Null
    Write-Output "Done."
}
catch
{
Write-Error $_
}
}

@(1, 2, 3) | ForEach-Object {
    Start-Job -Name $_ -ScriptBlock $ScriptBlock -ArgumentList $Context | Out-Null
}
Start-Sleep -Seconds 5
@(1, 2, 3) | ForEach-Object {
    Get-Job -Name $_ | Receive-Job
}

Release bug

Source

PavelPikat

👍1

Most helpful comment

Hi All,
I have two workarounds that I have tested so far.

Update the task version to 5.* or use AzurePowerShell@5
Run on Windows Powershell (set pwsh: false)

v-kyljon on 27 Jul 2020

👍2

All 21 comments

Similar result can be achieved by running AzurePowershellV4 with pwsh on Win2016 or Win2019 images

`trigger:

none

pool:
vmImage: 'windows-latest'

steps:

task: AzurePowerShell@5
inputs:
azureSubscription: 'TestSub'
ScriptType: 'InlineScript'
Inline: |
$PSVersionTable
Get-AzWebAppCertificate -ResourceGroupName TestWebApp
preferredAzurePowerShellVersion: '4.3.0'
pwsh: true

task: AzurePowerShell@4
inputs:
azureSubscription: 'TestSub'
ScriptType: 'InlineScript'
Inline: |
$PSVersionTable
Get-AzWebAppCertificate -ResourceGroupName TestWebApp
azurePowerShellVersion: '4.3.0' # Latest has same result
pwsh: true`

Results:
`##[debug]STDERR: Get-AzWebAppCertificate: D:\a_temp\1b94dc83-5241-4e64-85ab-bb0b39bcf9a3.ps1:5

[debug]STDERR: Line |

[debug] 5 | Get-AzWebAppCertificate -ResourceGroupName TestWebApp

[debug] | ~~~~~~~~~~~~~

[debug] | No subscription found in the context. Please ensure that the credentials you provided are authorized

[debug] | to access an Azure subscription, then run Connect-AzAccount to login.

[debug]

[debug]Exit code: 1

[debug]Leaving Invoke-VstsTool.

[error]Get-AzWebAppCertificate: D:\a_temp\1b94dc83-5241-4e64-85ab-bb0b39bcf9a3.ps1:5

Line |
5 | Get-AzWebAppCertificate -ResourceGroupName TestWebApp
| ~~~~~~~~~~~~~
| No subscription found in the context. Please ensure that the credentials you provided are authorized
| to access an Azure subscription, then run Connect-AzAccount to login.
`
Noted: AzurePowershellV5 uses version 1.9.0 of the Az.accounts module while V4 uses 1.9.1

From the commits around this timeframe I haven't found any changes related to the tasks that could cause these responses but it seems similar to #9319

Since V5 outputs the Tls1.2 setting located in the debug for V4 as well because I wasn't sure if this may have an impact ##[debug]TLS 1.2 already present in session.

'Disable-AzContextAutosave' related?

v-kyljon on 25 Jul 2020

@20shivangi to check this once

chshrikh on 27 Jul 2020

@PavelPikat Earlier we were using set-azcontext command in the scope of currentUser, due to which all the non-azureps tasks were able to use the Az context so we limited the context to the scope of process. But due to this, some pipelines started breaking where people were using az context created by azureps task.
So for now, we have reverted this change back. Our change has started being deployed, soon it will reach all the rings.

20shivangi on 27 Jul 2020

Hey guys, that's quite a big bug. We had several pipelines running using this configuration and they all are failing now.

E: context is being used in quite a lot of taks.
Even when we are uploading ARM templates to storage account, this command does not work Set-AzCurrentStorageAccount.

Do you have any workaround, that we can apply so context will still be taken using this task? This change breaks our concept.

Thanks,
Rafal

roofiq on 27 Jul 2020

@roofiq We ended up adding something like Save-AzContext -Path C:\context.json and Import-AzContext -Path C:\context.json to get the AzContext inside of a background job.
The first job is guaranteed to fail, so we also added a dummy job that runs first and ignores any exceptions.

PavelPikat on 27 Jul 2020

Picking up the context in a later step is not the only use-case breaking. An inline script launching another PowerShell.exe fails as well, even though everything is in the same build step. Sure, not the cleanest of things, but not exactly something you expect to break outside a major version update.

lmoelleb on 27 Jul 2020

Not sure if this is exactly the same issue, but our pipeline breaks aswell. we have the following task in our pipeline;

- task: AzurePowerShell@4
  displayName: 'KeyVault'
  inputs:
    azureSubscription: 'azure environment'
    ScriptPath: '$(Pipeline.Workspace)/drop/scripts/Check-KeyVault/Check-KeyVault.ps1'
    ScriptArguments: '-KeyVaultName $(keyvaultname)'
    azurePowerShellVersion: LatestVersion
    pwsh: true

The script does one call to Azure

$keyVault = Get-AzKeyVault -VaultName $keyVaultName

And the pipeline is failing telling us to Run Connect-AzAccount to login.

last time it ran the powershell module was version 4.171.1

LeonB87 on 27 Jul 2020

@LeonB87 Are you executing the Az cmdlet in a ScriptBlock? If so, the context is lost if it's not passed into the block

PavelPikat on 27 Jul 2020

Hi All,
I have two workarounds that I have tested so far.

Update the task version to 5.* or use AzurePowerShell@5
Run on Windows Powershell (set pwsh: false)

v-kyljon on 27 Jul 2020

👍2

@PavelPikat The powershell script itself doesn't contain a scriptblock.

param(
    [string][parameter(Mandatory = $true)] $keyVaultName
)

$keyVault = Get-AzKeyVault -VaultName $keyVaultName

if ($keyvault) {
    Write-Host "##vso[task.setvariable variable=keyVaultExists]true"
    Write-Output "Variable for keyvault is set to true".
} else {
    Write-Host "##vso[task.setvariable variable=keyVaultExists]false"
    Write-Output "Variable for keyvault is set to false".
}

LeonB87 on 27 Jul 2020

Hey. So if you disable Powershell Core on this task, it will run as before this change. Powershell core is creating another process which is loosing the context and all.
It should defaultly run on Core, so it is implementation bug.

roofiq on 27 Jul 2020

The initial issue I created, including its repro steps use v5 without PowerShell Core, so if anything changed now, then it must be due to some fix. I'll re-test my code again

PavelPikat on 27 Jul 2020

Tested work arounds mentioned by v-kyljon on my side. AzurePowerShell@5 using Core works, aswell as AzurePowerShell@4 Without Core.

LeonB87 on 27 Jul 2020

Yeah, seems like it's fixed now. The old release still fails, but if I create new deployment using the same task and code, then it seem to work.

PavelPikat on 27 Jul 2020

Yeah, seems like it's fixed now. The old release still fails, but if I create new deployment using the same task and code, then it seem to work.

@PavelPikat Can you let me know the version of task in which issue is not occuring now ?

20shivangi on 28 Jul 2020

@roofiq I am trying to understand the scenario - what do you mean by "Even when we are uploading ARM templates to storage account,"....which task are you using to upload the template ?

chshrikh on 28 Jul 2020

@chshrikh, nevermind because it all works when disabling Core in v4. But we are uploading ARM templates to storage with Azure PowerShell task so it was all connected :)

roofiq on 28 Jul 2020

I think I'm having this error too. Switching to version 5.* doesn't seem to have helped. The error I get from my background job is

[error]Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.

harre096 on 29 Jul 2020

I think I'm having this error too. Switching to version 5.* doesn't seem to have helped. The error I get from my background job is

[error]Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.

@harre096 are you still facing this issue? we have reverted our changes.

AmrutaKawade on 27 Aug 2020

I think I'm having this error too. Switching to version 5.* doesn't seem to have helped. The error I get from my background job is

[error]Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.

@harre096 are you still facing this issue? we have reverted our changes.

For my script that uses background jobs and runs in AzureDevops. I have been using 5.* successfully for a while. I tested 4.* today and that seems to be working again too.

harre096 on 27 Aug 2020

Thanks for confirming. Closing this issue

AmrutaKawade on 28 Aug 2020

Was this page helpful?

0 / 5 - 0 ratings