Login with WAM + no more silent authentication failures cause Terraform errors

[SvenAelterman]

Describe the bug

The new WAM-based login (possibly combined with the now no longer silent authentication failures) seems to cause issues with Terraform.

When running a Terraform plan, the output is like the error below (just a snip of much more of this).

When reverting back to the non-WAM login broker, as documented at https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows, everything works as before.

Also, when using az login --use-device-code, everything works like before.

Related command

terraform plan

Errors

│ Error: building account: could not acquire access token to parse claims: running Azure CLI: exit status 1: ERROR: (pii). Status: Response_Status.Status_InteractionRequired, Error code: 3399548929, Tag: 558133255
│ Please explicitly log in with:
│ az login --scope https://graph.microsoft.com/.default
│
│ with provider["registry.terraform.io/hashicorp/azurerm"].management,
│ on terraform.tf line 27, in provider "azurerm":
│ 27: provider "azurerm" {

Issue script & Debug output

N/A

Expected behavior

Previous behavior

Environment Summary

azure-cli 2.62.0

core 2.62.0
telemetry 1.1.0

Extensions:
azure-firewall 1.0.1

Dependencies:
msal 1.28.1
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\svaelter.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

To help us understand what is going on, could you give more information "no longer silent authentication failures"? What is the failure message? How to reproduce this failure?

[SvenAelterman]

To help us understand what is going on, could you give more information "no longer silent authentication failures"? What is the failure message? How to reproduce this failure?

The failure message is included under the Errors heading in the issue.

To replicate:

1. Clear the az account information
2. Sign in again (using WAM, with at least AZ CLI v 2.61).
3. Run terraform plan.

[jiasli]

Sign in again (using WAM, with at least AZ CLI v 2.61).

What is the command you used?

Have you tried running az login --scope https://graph.microsoft.com/.default as the error message instructed?

[SvenAelterman]

What is the command you used?

Simple az login, as before 2.61+.

Running the login command with a particular scope doesn't solve the issue, as then there's a next scope that needs to be included, and the next one. Eventually you get them all, of course, and then you can deploy TF successfully.

Are you suggesting that in addition to the other changes in 2.61 (which I thought were the root cause of the issue), the login process is different in that it now requires specifying any scope you want to use?

If so, what does az login --use-device-code do differently (as it still works)? Why does reverting to the old login method (not using WAM) still work?

Edit: I think the major difference might be found in the release note that states that silent authentication failures are no longer silent. The error message would seem to point at that. I am not sure why turning off WAM solves it, of course, as I haven't looked at the underlying mechanisms that would be different.

[SvenAelterman]

@jiasli Any thoughts? Thanks!

[jstanesic]

Try specifying the tenant id to the az login commmand by adding --tenant TENANT_ID. I had a similiar issue.