Skip to content

[CloudShell] Capture HTTPError 400 in Cloud Shell #14455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jiasli wants to merge 2 commits into from
Closed

[CloudShell] Capture HTTPError 400 in Cloud Shell #14455

jiasli wants to merge 2 commits into from

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jul 22, 2020
edited
Loading

Description

This is temporary mitigation for #12757: Cloud Shell fails with 400 Client Error for non-supported resources/audiences/scopes, like

  • https://ossrdbms-aad.database.windows.net
  • https://digitaltwins.azure.net

Currently Azure CLI will show an ugly error message:

$ az account get-access-token --resource https://digitaltwins.azure.net

The command failed with an unexpected error. Here is the traceback:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
  File "/home/user1/env383/lib/python3.8/site-packages/knack/cli.py", line 215, in invoke
    cmd_result = self.invocation.execute(args)
  ...
  File "/home/user1/azure-cli/src/azure-cli-core/azure/cli/core/_profile.py", line 392, in _get_token_from_cloud_shell
    auth = MSIAuthenticationWrapper(resource=resource)
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
    self.set_token()
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
    result.raise_for_status()
  File "/home/user1/env383/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

With this PR, an instruction is shown as a workaround:

Failed to retrieve a token in Cloud Shell for resource https://digitaltwins.azure.net. Please run az login and try again.

$ az account get-access-token --resource https://digitaltwins.azure.net
Failed to retrieve a token in Cloud Shell for resource https://digitaltwins.azure.net. Please run `az login` and try again.

Traceback (most recent call last):
  File "/home/user1/azure-cli/src/azure-cli-core/azure/cli/core/_profile.py", line 394, in _get_token_from_cloud_shell
    auth = MSIAuthenticationWrapper(resource=resource)
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
    self.set_token()
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/home/user1/env383/lib/python3.8/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
    result.raise_for_status()
  File "/home/user1/env383/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

However, this is only a temporarily fix. For long-term, Cloud Shell needs to remove the allowlist and make all resources/audiences/scopes available.

⚠ Side effect: This will hide intermittent 400 failures for supported resources (#11749) , such as https://management.core.windows.net/. If the user follows the instruction to run az login as a workaround, the actual problem will be unreported. So I am not sure if this PR is a good choice.

Testing Guide

In Cloud Shell, follow #13567 to install Python 3.8 and checkout Azure CLI from source code. Then run

az account get-access-token --resource https://digitaltwins.azure.net

@yonzhan yonzhan added this to the Backlog milestone Jul 22, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 22, 2020

CloudShell

@jiasli
Copy link
Member Author

jiasli commented Apr 19, 2021

This issue should be resolved by Cloud Shell service, instead of worked around by the user.

@jiasli jiasli closed this Apr 19, 2021
@jiasli jiasli mentioned this pull request Apr 19, 2021
Closed
@jiasli
Copy link
Member Author

jiasli commented Apr 19, 2021

This PR is superseded by #15574.

@jiasli jiasli mentioned this pull request Jul 27, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsntcy jsntcy Awaiting requested review from jsntcy

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

@mmyyrroonn mmyyrroonn Awaiting requested review from mmyyrroonn

@haroldrandom haroldrandom Awaiting requested review from haroldrandom

@arrownj arrownj Awaiting requested review from arrownj

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys will be requested when the pull request is marked ready for review evelyn-ys is a code owner

@bebound bebound Awaiting requested review from bebound bebound will be requested when the pull request is marked ready for review bebound is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@jiasli jiasli

Labels

do-not-merge

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

2 participants

@jiasli @yonzhan