Skip to content

AZCOPY_AUTO_LOGIN_TYPE="AZCLI" breaks after 5m of inactivity #30877

New issue
New issue
Closed
Closed
AZCOPY_AUTO_LOGIN_TYPE="AZCLI" breaks after 5m of inactivity#30877
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botAuto-ResolveAuto resolve by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@hoppeeri

Description

@hoppeeri
hoppeeri
opened on Feb 24, 2025

Describe the bug

We use azcopy with az cli login in a GitHub.
This works without issues in a workflow like this:

steps:
  - name: login
    uses: azure/login@v2
    with:
      tenant-id: ${{ env.ARM_TENANT_ID }}
      subscription-id: ${{ env.ARM_SUBSCRIPTION_ID}}
      client-id: ${{ env.ARM_CLIENT_ID }}

  - name: copy
    env:
      AZCOPY_TENANT_ID: ${{ env.ARM_TENANT_ID }}
      AZCOPY_AUTO_LOGIN_TYPE: AZCLI
    run: |
      azcopy copy /etc/os-release "https://mysa.blob.core.windows.net/test.txt"

Waiting after az login:

steps:
  - name: login
    uses: azure/login@v2
    with:
      tenant-id: ${{ env.ARM_TENANT_ID }}
      subscription-id: ${{ env.ARM_SUBSCRIPTION_ID}}
      client-id: ${{ env.ARM_CLIENT_ID }}

  - name: copy
    env:
      AZCOPY_TENANT_ID: ${{ env.ARM_TENANT_ID }}
      AZCOPY_AUTO_LOGIN_TYPE: AZCLI
    run: |
      sleep 600
      azcopy copy /etc/os-release "https://mysa.blob.core.windows.net/test.txt"

will fail with the following error:

INFO: Scanning...

Failed to perform Auto-login: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2025-01-14T14:56:59.0917584Z, assertion valid from 2025-01-14T14:46:57.0000000Z, expiry time of assertion 2025-01-14T14:51:57.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 01234567-89ab-cdef-0123-456789abcdef Correlation ID: 01234567-89ab-cdef-0123-456789abcdef Timestamp: 2025-01-14 14:56:59Z
Interactive authentication is needed. Please run:
az login
.

which claims that a 5m session timeout exists and another azure login is required, which is not true as subsequent az cli commands will work just fine.

Issuing an azcopy command within this time frame allows subsequent azcopy commands to succeed, so the example below works:

steps:
  - name: login
    uses: azure/login@v2
    with:
      tenant-id: ${{ env.ARM_TENANT_ID }}
      subscription-id: ${{ env.ARM_SUBSCRIPTION_ID}}
      client-id: ${{ env.ARM_CLIENT_ID }}

  - name: copy
    env:
      AZCOPY_TENANT_ID: ${{ env.ARM_TENANT_ID }}
      AZCOPY_AUTO_LOGIN_TYPE: AZCLI
    run: |
      azcopy copy /etc/os-release "https://mysa.blob.core.windows.net/test.txt"
      sleep 3600
      azcopy copy /etc/os-release "https://mysa.blob.core.windows.net/test.txt"

Not sure if this is a bug in az cli or azcopy but the issue can be reproduced.

azcopy version 10.27.1
azure-cli 2.61.0

Related command

az login

Errors

INFO: Scanning...

Failed to perform Auto-login: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2025-01-14T14:56:59.0917584Z, assertion valid from 2025-01-14T14:46:57.0000000Z, expiry time of assertion 2025-01-14T14:51:57.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 01234567-89ab-cdef-0123-456789abcdef Correlation ID: 01234567-89ab-cdef-0123-456789abcdef Timestamp: 2025-01-14 14:56:59Z
Interactive authentication is needed. Please run:
az login
.

Issue script & Debug output

INFO: Scanning...

Failed to perform Auto-login: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2025-01-14T14:56:59.0917584Z, assertion valid from 2025-01-14T14:46:57.0000000Z, expiry time of assertion 2025-01-14T14:51:57.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 01234567-89ab-cdef-0123-456789abcdef Correlation ID: 01234567-89ab-cdef-0123-456789abcdef Timestamp: 2025-01-14 14:56:59Z
Interactive authentication is needed. Please run:
az login
.

Expected behavior

Session does not time out? after 5m.

Environment Summary

azcopy version 10.27.1
azure-cli 2.61.0

Additional context

from
Azure/azure-storage-azcopy#2915

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botAuto-ResolveAuto resolve by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.customer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions