add-credential azure fails when using the interactive auth type

Tommy, can you please try again? The AAD application had an unnecessary permission which required admin consent. I've removed that, so you shouldn't get that error any more.

Andrew,

I just tried it again and got the same error. I saw the milestone change
and noticed I'm on 2.1.2-sierra-amd64. I doubt it, but will that change
anything?

Additional technical information:
Correlation ID: 575ac5db-dd62-4aa0-9223-d0b490cef79c
Timestamp: 2017-04-11 02:39:37Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.

On Mon, Apr 10, 2017 at 9:35 PM Andrew Wilkins <email address hidden>
wrote:

> Tommy, can you please try again? The AAD application had an unnecessary
> permission which required admin consent. I've removed that, so you
> shouldn't get that error any more.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> In Progress
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Enter the code that you received from the application on your device
>
> Juju CLI Application publisher: Click cancel if you received this code
> from a different application
>
> -- Click Continue
>
> -- Enter credentials
>
> Sorry, but we’re having trouble signing you in.
> We received a bad request
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1680523/+subscriptions
>

FYI, I've tried with two different subscriptions and am still getting the same error.

Additional technical information:
Correlation ID: 4ece3932-fce4-4f75-89ae-4d3b0143eca6
Timestamp: 2017-04-11 02:54:55Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.

Sorry, it looks like the the Azure Portal got a bit confused. Removing the permissions in the UI didn't take effect, and the manifest *grew* permissions somehow. Anyway, I've just removed them and confirmed that the manifest got updated this time. Please try again and see how you go.

(And yes, the milestone and client version are irrelevant.)

Removing Juju milestone to avoid confusion :D

Also Marking as Fix Released as the change is independent from Juju codebase.

Closer! I was able to login and it then asked me for permissions to grant
juju access. I approved, but I'm now getting a different error:

ERROR finalizing credential: waiting for interactive authentication to
completed: autorest/azure/devicetoken: Error while retrieving OAuth token:
Unknown Error

On Mon, Apr 10, 2017 at 10:25 PM Andrew Wilkins <
<email address hidden>> wrote:

> Sorry, it looks like the the Azure Portal got a bit confused. Removing
> the permissions in the UI didn't take effect, and the manifest *grew*
> permissions somehow. Anyway, I've just removed them and confirmed that
> the manifest got updated this time. Please try again and see how you go.
>
> (And yes, the milestone and client version are irrelevant.)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> Fix Committed
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Enter the code that you received from the application on your device
>
> Juju CLI Application publisher: Click cancel if you received this code
> from a different application
>
> -- Click Continue
>
> -- Enter credentials
>
> Sorry, but we’re having trouble signing you in.
> We received a bad request
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1680523/+subscriptions
>

I can't see your logins (I imagine only your tenant admin could), so I'll need some more detailed logging to diagnose further. Can you please run with client-side logging turned right up?

    juju add-credential --logging-config '<root>=TRACE' --log-file=/tmp/azure.log azure

And then supply the azure.log file. This will include tenant and subscription IDs, so you will need to redact if you're concerned about making those known to others.

Here's the logs. I removed anything that might be sensitive, so let me
know if there's anything I left out that is vital to solving the problem.

http://lastcoolnameleft.com/mini/azure.log

On Mon, Apr 10, 2017 at 11:10 PM Andrew Wilkins <
<email address hidden>> wrote:

> I can't see your logins (I imagine only your tenant admin could), so
> I'll need some more detailed logging to diagnose further. Can you please
> run with client-side logging turned right up?
>
> juju add-credential --logging-config '<root>=TRACE' --log-
> file=/tmp/azure.log azure
>
> And then supply the azure.log file. This will include tenant and
> subscription IDs, so you will need to redact if you're concerned about
> making those known to others.
>
> ** Changed in: juju
> Status: Fix Released => In Progress
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> In Progress
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Enter the code that you received from the application on your device
>
> Juju CLI Application publisher: Click cancel if you received this code
> from a different application
>
> -- Click Continue
>
> -- Enter credentials
>
> Sorry, but we’re having trouble signing you in.
> We received a bad request
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1680523/+subscriptions
>

Thanks Tommy. Can you please provide a couple of those GUIDs, which aren't sensitive:

- {{resource-app-id}} (the resource app ID that the Juju code is requesting access for)
- {{another-guid}} (the resource app ID that is defined in the Juju app registration. I expect this to be 797f4846-ba00-4fd7-ba43-dac1f8f63013, which is the one defined in the manifest for AAD permissions)

I'm probably going to have to get help from someone on the AAD team, as I've created a new AAD application registration and I cannot authenticate with that. Seems like something has changed on the Azure side.

Try again now. http://lastcoolnameleft.com/mini/azure.log
(might need a hard refresh of the page)

On Mon, Apr 10, 2017 at 10:45 PM Anastasia <email address hidden>
wrote:

> Removing Juju milestone to avoid confusion :D
>
> ** Changed in: juju
> Milestone: 2.2-beta3 => None
>
> ** Changed in: juju
> Status: Fix Committed => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> Fix Released
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Enter the code that you received from the application on your device
>
> Juju CLI Application publisher: Click cancel if you received this code
> from a different application
>
> -- Click Continue
>
> -- Enter credentials
>
> Sorry, but we’re having trouble signing you in.
> We received a bad request
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1680523/+subscriptions
>

Thanks Tommy. I've not made any progress on this so far. We're in contact with Azure AD people, trying to sort this and other issues out now. I'll report back as soon as I know what the issue is.

In the mean time, there is a workaround: create your own application/service principal. There's instructions on doing this at https://jujucharms.com/docs/2.1/help-azure#manually-adding-credentials

I have a code change in progress that should fix this.

https://github.com/juju/juju/pull/7252

Andrew,

Thanks for your help on this. What's the recommended approach for me to test this fix? Looking at the juju README, it shows how to build on the master branch; however, how I'm not familiar enough with Go to pull from a specific branch.

My change has landed on the "develop" branch, which is the main branch we all work off. We're expecting to release 2.2-beta3 in the next couple of days, so you can either wait for that, or follow the instructions below to build:

1. install go 1.8. I use the snap package: "sudo snap install go --classic --channel=1.8"
2. install gcc (for some pesky cgo dependencies that I'd like to get rid of...)
3. go get github.com/rogpeppe/godeps
4. go get -d github.com/juju/juju
5. cd ~/go/src/github.com/juju/juju
6. git checkout develop
7. ~/go/bin/godeps -u dependencies.tsv
8. go install github.com/juju/juju/cmd/juju

You should now have the "juju" client binary in ~/go/bin, which is enough to run "juju add-credential". If you also want to bootstrap with the develop branch, you should also "go install github.com/juju/juju/cmd/jujud".

Andrew,

I just followed the instructions you provided and got further (I think),
but hit a different error. Details below.

For the logs, you can go to: http://lastcoolnameleft.com/mini/azure.log

➜ juju git:(develop) juju add-credential --logging-config '<root>=TRACE'
--log-file=/tmp/azure.log azure
Enter credential name: test

A credential with that name already exists.
Replace the existing credential? (y/N): y

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id:{{sub-id}}

Initiating interactive authentication.

To sign in, use a web browser to open the page https://aka.ms/devicelogin
and enter the code {{code}} to authenticate.

Authenticated as "Tommy Falgout".
Creating/updating service principal.
ERROR finalizing credential: ad.ServicePrincipalsClient#Create: Failure
responding to request: StatusCode=0 -- Original Error: autorest/azure:
Service returned an error. Status=404 Code="Request_ResourceNotFound"
Message=""

On Tue, Apr 25, 2017 at 9:25 PM Andrew Wilkins <email address hidden>
wrote:

> My change has landed on the "develop" branch, which is the main branch
> we all work off. We're expecting to release 2.2-beta3 in the next couple
> of days, so you can either wait for that, or follow the instructions
> below to build:
>
> 1. install go 1.8. I use the snap package: "sudo snap install go --classic
> --channel=1.8"
> 2. install gcc (for some pesky cgo dependencies that I'd like to get rid
> of...)
> 3. go get github.com/rogpeppe/godeps
> 4. go get -d github.com/juju/juju
> 5. cd ~/go/src/github.com/juju/juju
> 6. git checkout develop
> 7. ~/go/bin/godeps -u dependencies.tsv
> 8. go install github.com/juju/juju/cmd/juju
>
> You should now have the "juju" client binary in ~/go/bin, which is
> enough to run "juju add-credential". If you also want to bootstrap with
> the develop branch, you should also "go install
> github.com/juju/juju/cmd/jujud".
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> Fix Committed
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Ent...

I also tried using an SP and got a different error:

Those logs are at: http://www.lastcoolnameleft.com/mini/azure-sp.log

➜ juju git:(develop) juju add-credential --logging-config '<root>=TRACE'
--log-file=/tmp/azure-sp.log azure
Enter credential name: test

A credential with that name already exists.
Replace the existing credential? (y/N): y

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]: service-principal-secret

Enter application-id: {{app-id}}

Enter subscription-id: {{sub-id}}

Enter application-password:

Credentials added for cloud azure.

➜ juju git:(develop) cat /tmp/azure-sp.log
22:16:09 INFO juju.cmd supercommand.go:63 running juju [2.2-beta3 gc
go1.8.1]
22:16:09 DEBUG juju.cmd supercommand.go:64 args: []string{"juju",
"add-credential", "--logging-config", "<root>=TRACE",
"--log-file=/tmp/azure-sp.log", "azure"}
22:16:35 INFO cmd supercommand.go:465 command finished
➜ juju git:(develop) juju bootstrap --logging-config '<root>=TRACE'
--log-file=/tmp/azure-sp.log azure
Creating Juju controller "azure-centralus" on azure/centralus
Looking for packaged Juju agent version 2.2-beta3 for amd64
No packaged binary found, preparing local Juju agent binary
ERROR failed to bootstrap model: Juju cannot bootstrap because no agent
binaries are available for your model.
You may want to use the 'agent-metadata-url' configuration setting to
specify the binaries' location.

On Tue, Apr 25, 2017 at 10:24 PM Tommy Falgout <email address hidden>
wrote:

> Andrew,
>
> I just followed the instructions you provided and got further (I think),
> but hit a different error. Details below.
>
> For the logs, you can go to: http://lastcoolnameleft.com/mini/azure.log
>
> ➜ juju git:(develop) juju add-credential --logging-config '<root>=TRACE'
> --log-file=/tmp/azure.log azure
> Enter credential name: test
>
> A credential with that name already exists.
> Replace the existing credential? (y/N): y
>
> Auth Types
> interactive
> service-principal-secret
>
> Select auth type [interactive]:
>
> Enter subscription-id:{{sub-id}}
>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page https://aka.ms/devicelogin
> and enter the code {{code}} to authenticate.
>
> Authenticated as "Tommy Falgout".
> Creating/updating service principal.
> ERROR finalizing credential: ad.ServicePrincipalsClient#Create: Failure
> responding to request: StatusCode=0 -- Original Error: autorest/azure:
> Service returned an error. Status=404 Code="Request_ResourceNotFound"
> Message=""
>
>
>
> On Tue, Apr 25, 2017 at 9:25 PM Andrew Wilkins <
> <email address hidden>> wrote:
>
>> My change has landed on the "develop" branch, which is the main branch
>> we all work off. We're expecting to release 2.2-beta3 in the next couple
>> of days, so you can either wait for that, or follow the instructions
>> below to build:
>>
>> 1. install go 1.8. I use the snap package: "sudo snap install go
>> --classic --channel=1.8"
>> 2. install gcc (for some pesky cgo dependencies that I'd like to get rid
>> of...)
>> 3. go get github.com/rogpeppe/godeps
>> 4. go get -d github.com/juju/juju
>> 5. cd ~/go/src/github.c...

Re comment #17:

"""
Authenticated as "Tommy Falgout".
Creating/updating service principal.
ERROR finalizing credential: ad.ServicePrincipalsClient#Create: Failure
responding to request: StatusCode=0 -- Original Error: autorest/azure:
Service returned an error. Status=404 Code="Request_ResourceNotFound"
Message=""
"""

This output indicates that things are getting significantly further along. Authentication worked (hooray!), but creating the service principal failed because, presumably, the application could not be found. I *think* this is a timing thing. I could be wrong, but I think Azure creates the application object in your AD instance in response to you authenticating and approving the permissions. That's happening asynchronously, though, and isn't complete by the time we go to create the service principal. If you try again, you may find that it works. If it doesn't, can you please supply a new log for "juju add-credential"?

Re comment #18:

The issue here is that you're using a pre-release binary, and there are no agents uploaded to streams.canonical.com yet. If you were to try this out on a Linux machine, the jujud binary would be used for the controller; but since you're on macOS, that won't work.

The manual service principal approach should work with released versions, so you could just try with the released beta2 client.

@axwalk, I think your intuition regarding async application creation and service principal creation is correct. In Azure CLI we do a bit of retrying to ensure creation of the service principal [0].

I've created an issue in the Azure SDK for Go to encapsulate that logic so it's not left as an exercise to the reader [1].

[0]: https://github.com/Azure/azure-cli/blob/master/src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py#L500-L632

[1]: https://github.com/Azure/azure-sdk-for-go/issues/596

https://github.com/juju/juju/pull/7288

Tommy, I neglected to ask you before: my PR (mentioned in comment #21) has landed. Would you mind seeing if this resolves the issues you have seen with interactive add-credential?

I've not been able to reproduce the error myself, but this PR makes Juju follow what is done in the Azure CLI.

Andrew,

You mentioned that PR#21 has landed; however, it doesn't appears that Juju 2.2 is available yet. So, I've got a few questions:
Did you want me to test and build off of the master branch?
Do you want me to test via SP or the interactive CLI?
Did you want me to test on OSX or Linux?

When I tried building off of the master branch on OSX, I encountered the async app object issue you mentioned, and it sounds like that won't be resolved, unless I build from source and test on Linux. Is that accurate?

> Did you want me to test and build off of the master branch?

Off the "develop" branch please.

> Do you want me to test via SP or the interactive CLI?

Interactive CLI (i.e. juju add-credential, select "interactive")

> Did you want me to test on OSX or Linux?

Either will do for add-credential. It's just that you won't be able to bootstrap when building from source on OS X. (You can, but it's not straightforward, and isn't needed to test this bug fix anyway.)

> When I tried building off of the master branch on OSX, I encountered the async app object issue you mentioned, and it sounds like that won't be resolved, unless I build from source and test on Linux. Is that accurate?

Just to be clear, there's a new PR that has landed since comment #17, that should fix the async issue. i.e. it should resolve the issue that lead to the error message

    ERROR finalizing credential: ad.ServicePrincipalsClient#Create: Failure
    responding to request: StatusCode=0 -- Original Error: autorest/azure:
    Service returned an error. Status=404 Code="Request_ResourceNotFound"
    Message=""

As above, the OS shouldn't matter.

Thanks in advance!

Andrew,

Here's the error I'm currently receiving:

➜ juju git:(develop) juju add-credential --logging-config '<root>=TRACE'
--log-file=/tmp/azure-sp.log azure
Enter credential name: test

A credential with that name already exists.
Replace the existing credential? (y/N): y

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id: df8428d4-bc25-4601-b458-1c8533ceec0b

Initiating interactive authentication.

To sign in, use a web browser to open the page https://aka.ms/devicelogin
and enter the code BR7E33R4Y to authenticate.

Authenticated as "Tommy Falgout".
Creating/updating service principal.
ERROR finalizing credential: creating service principal: max duration
exceeded: ad.ServicePrincipalsClient#Create: Failure responding to request:
StatusCode=0 -- Original Error: autorest/azure: Service returned an error.
Status=404 Code="Request_ResourceNotFound" Message="Resource
'ServicePrincipal_5741d8b8-922e-496e-83a5-75cca9ae590d' does not exist or
one of its queried reference-property objects are not present."

I've pushed the logs here:
http://lastcoolnameleft.com/mini/azure.log

Perhaps increasing the timeout? Is there something I can do to increase
that myself to test?

On Fri, May 5, 2017 at 3:16 AM Andrew Wilkins <email address hidden>
wrote:

> Tommy, I neglected to ask you before: my PR (mentioned in comment #21)
> has landed. Would you mind seeing if this resolves the issues you have
> seen with interactive add-credential?
>
> I've not been able to reproduce the error myself, but this PR makes Juju
> follow what is done in the Azure CLI.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> Fix Committed
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-principal-secret
>
> Select auth-type: interactive
> Enter subscription-id: <removed>
> Initiating interactive authentication.
>
> To sign in, use a web browser to open the page
> https://aka.ms/devicelogin and enter the code <removed> to
> authenticate.
>
> -- Go to link
>
> Enter the code that you received from the application on your device
>
> Juju CLI Application publisher: Click cancel if you received this code
> from a different application
>
> -- Click Continue
>
> -- Enter credentials
>
> Sorry, but we’re having trouble signing you in.
> We received a bad request
>
> To manage n...

Tommy, the log says 26 Apr. Looks like it didn't get updated.

It wouldn't hurt to try updating the timeout. The line is https://github.com/juju/juju/blob/develop/provider/azure/internal/azureauth/interactive.go#L245. Please try changing that to `5 * time.Minute`, and see if that helps.

I made the change, re-ran "go install github.com/juju/juju/cmd/juju" and
still experienced the same issue:

Logs at: http://lastcoolnameleft.com/mini/azure.log (for real this time.
Sorry about that earlier mishap)

➜ juju git:(develop) ✗ git diff
diff --git a/provider/azure/internal/azureauth/interactive.go
b/provider/azure/internal/azureauth/interactive.go
index ea9dae428c..39e8bd9d05 100644
--- a/provider/azure/internal/azureauth/interactive.go
+++ b/provider/azure/internal/azureauth/interactive.go
@@ -242,7 +242,7 @@ func createOrUpdateServicePrincipal(
                },
                Clock: clock,
                Delay: 5 * time.Second,
- MaxDuration: time.Minute,
+ MaxDuration: 5 * time.Minute,
        }
        if err := retry.Call(retryArgs); err != nil {
                if !isMultipleObjectsWithSameKeyValueErr(err) {

➜ juju git:(develop) ✗ juju add-credential --logging-config '<root>=TRACE'
--log-file=/tmp/azure.log azure

Enter credential name: test

A credential with that name already exists.
Replace the existing credential? (y/N): y

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id:

Initiating interactive authentication.

To sign in, use a web browser to open the page https://aka.ms/devicelogin
and enter the code BEFZ8TGE6 to authenticate.

Authenticated as "Tommy Falgout".
Creating/updating service principal.
ERROR finalizing credential: creating service principal: max duration
exceeded: ad.ServicePrincipalsClient#Create: Failure responding to request:
StatusCode=0 -- Original Error: autorest/azure: Service returned an error.
Status=404 Code="Request_ResourceNotFound" Message="Resource
'ServicePrincipal_4588da91-7a39-4832-8f01-bf8c8fb26bc8' does not exist or
one of its queried reference-property objects are not present."

On Sun, May 7, 2017 at 11:11 PM Andrew Wilkins <email address hidden>
wrote:

> Tommy, the log says 26 Apr. Looks like it didn't get updated.
>
> It wouldn't hurt to try updating the timeout. The line is
>
> https://github.com/juju/juju/blob/develop/provider/azure/internal/azureauth/interactive.go#L245
> .
> Please try changing that to `5 * time.Minute`, and see if that helps.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1680523
>
> Title:
> add-credential azure fails
>
> Status in juju:
> Fix Committed
>
> Bug description:
> I am receiving the following error when running "juju add-credential
> azure". I have tried two different subscription ID's, both have the
> same issue.
>
> Sign In
> Sorry, but we’re having trouble signing you in.
> We received a bad request.
>
> Additional technical information:
> Correlation ID: 9da27091-d4a3-4e93-81e0-41e016d8276a
> Timestamp: 2017-04-06 16:01:06Z
> AADSTS90093: Calling principal cannot consent due to lack of permissions.
>
> To reproduce the problem:
>
> ➜ ~ juju add-credential azure
> Enter credential name: test
> A credential with that name already exists.
>
> Replace the existing credential? (y/N): y
> Auth Types
> interactive*
> service-princ...

Thanks Tommy. I'll see if I can get some more help from the Azure devs, because it's not clear what we're doing wrong now.

Hi Any movement on this? I am getting same error:

~ ❯❯❯ juju add-credential azure ⏎
Enter credential name: asos

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id (optional):

Initiating interactive authentication.

To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DS939T485 to authenticate.

Authenticated as "Ali Kheyrollahi".
ERROR finalizing credential: creating service principal: max duration exceeded: ad.ServicePrincipalsClient#Create: Failure responding to request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="Request_ResourceNotFound" Message="Resource 'ServicePrincipal_80c37f1d-6063-400d-bc47-7a05b653eb32' does not exist or one of its queried reference-property objects are not present."

Hi Ali,

We're yet to get to the bottom of that error. Please use the "service-principal-secret" auth type for now. You can create a service principal using the "az" command like so:

$ az ad sp create-for-rbac -n "http://jujucharms.com" --role Owner

Then use "juju add-credential azure", and select "service-principal-secret", entering the appId and password output from the command above. The subscription ID comes from "az account show".

Having spent some time in credential validation area, I am stating to wonder if this is because we need to have a particular region (not just azure default).

At the moment, Juju azure default is 'centralus'. Each individual juju client can change that using 'set-default-region' command. Doing this will force Juju to validate any credentials added via 'add-credential' against that region.

But I think we should also add region as an option to 'add-credential' command.

As of 2019-07, this looks to be resolved. It's still possible to run into hiccups, but it works when one avoids edge cases.

[Without logging in to the azure CLI]

$ juju add-credential azure
Enter credential name: az-test

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id: ed185b28-....-....-....-........bfc3

Initiating interactive authentication.

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code HD3S77LNH to authenticate.

Authenticated as "c64de0e0-....-....-....-9f05be734b4c 33a8a870-....-....-....-71642935532b".
ERROR finalizing credential: service principal not found

[After logging in with `az login`]

$ juju add-credential azure
Enter credential name: az-test2

Auth Types
  interactive
  service-principal-secret

Select auth type [interactive]:

Enter subscription-id (optional): ed185b28-....-....-....-........bfc3

Initiating interactive authentication.

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code H3QPPZVX6 to authenticate.

Authenticated as "c64de0e0-....-....-....-9f05be734b4c 33a8a870-....-....-....-71642935532b".
Credential "az-test2" added locally for cloud "azure".

hi, im still having issues with the new release 2.6.5.
ERROR finalizing credential: service principal not found
when using interactive authentication.

logged in on the az cli side.

how to avoid edge cases ? or how can i bring logs that will help?