WARNING: No connection string, account key or sas token found

[Demeleo]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
I have old and new release pipelines failing on a Terraform CLI task for Command init.

deployment of state resources task YAML:

variables:
environment: 'test'

steps:

• task: AzureResourceGroupDeployment@2
  displayName: 'Release deployment state resources'
  inputs:
  azureSubscription: 'subscriptiondetials removed'
  resourceGroupName: '$(names.prefix)-$(names.project)-deploy-rg'
  location: '$(locations.primary)'
  csmFile: '$(System.DefaultWorkingDirectory)\Resources$(paths.targets.publish.resources)\storage_account.template.json'
  csmParametersFile: '$(System.DefaultWorkingDirectory)\Resources$(paths.targets.publish.resources)\storage_account.parameters.json'
  overrideParameters: '-storage_account_name "deploymentstate" -storage_account_location "$(locations.primary)" -storage_account_tag_department "$(tags.department)" -storage_account_tag_environment "$(environment)" -storage_account_tag_project "$(tags.project) Deployment" -storage_account_tag_owner "$(tags.owner)" -storage_account_tag_resource "Storage Account"'

Terraform initialise task YAML:

variables:
environment: 'test'

steps:

• task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-cli.TerraformCLI@0
  displayName: 'Terraform : initialize'
  inputs:
  command: init
  workingDirectory: '$(System.DefaultWorkingDirectory)\Resources\publish\resources'
  backendType: azurerm
  backendServiceArm: 'subscription'
  ensureBackend: true
  backendAzureRmResourceGroupName: 'project-description-deploy-resource-group'
  backendAzureRmResourceGroupLocation: '$(locations.primary)'
  backendAzureRmStorageAccountName: 'deploystorageaccount'
  backendAzureRmContainerName: deploymentstate
  backendAzureRmKey: 'teststate'

here is the log for the failed task

2020-02-18T09:17:31.8884457Z ##[section]Starting: Terraform : initialize
2020-02-18T09:17:31.8972618Z ==============================================================================
2020-02-18T09:17:31.8972744Z Task : Terraform CLI
2020-02-18T09:17:31.8972798Z Description : Execute terraform cli commands
2020-02-18T09:17:31.8972868Z Version : 0.4.19
2020-02-18T09:17:31.8972914Z Author : Charles Zipp
2020-02-18T09:17:31.8972980Z Help :
2020-02-18T09:17:31.8973040Z ==============================================================================
2020-02-18T09:17:32.5471249Z [command]C:\hostedtoolcache\windows\terraform\0.12.20\x64\terraform.exe version
2020-02-18T09:17:33.1308681Z Terraform v0.12.20
2020-02-18T09:17:33.1529307Z [command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" login --service-principal -t *** -u *** -p "
2020-02-18T09:18:02.1665395Z [
2020-02-18T09:18:02.1665916Z {
2020-02-18T09:18:02.1666106Z "cloudName": "AzureCloud",
2020-02-18T09:18:02.1666354Z "id": "removes id",
2020-02-18T09:18:02.1666541Z "isDefault": true,
2020-02-18T09:18:02.1666728Z "name": "removed subscribername",
2020-02-18T09:18:02.1666880Z "state": "Enabled",
2020-02-18T09:18:02.1667160Z "tenantId": "",
2020-02-18T09:18:02.1667321Z "user": {
2020-02-18T09:18:02.1667502Z "name": "***",
2020-02-18T09:18:02.1667659Z "type": "servicePrincipal"
2020-02-18T09:18:02.1667825Z }
2020-02-18T09:18:02.1667968Z }
2020-02-18T09:18:02.1668126Z ]
2020-02-18T09:18:02.1896913Z [command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account set -s **"
2020-02-18T09:18:03.5257527Z [command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" group create --name -content-deploy-rg --location northeurope"
2020-02-18T09:18:06.1804023Z {
2020-02-18T09:18:06.1804643Z "id": "//resourceGroups/-content-deploy-rg",
2020-02-18T09:18:06.1804919Z "location": "northeurope",
2020-02-18T09:18:06.1805902Z "managedBy": null,
2020-02-18T09:18:06.1806101Z "name": "-content-deploy-rg",
2020-02-18T09:18:06.1806271Z "properties": {
2020-02-18T09:18:06.1806450Z "provisioningState": "Succeeded"
2020-02-18T09:18:06.1806613Z },
2020-02-18T09:18:06.1806787Z "tags": null,
2020-02-18T09:18:06.1806953Z "type": "Microsoft.Resources/resourceGroups"
2020-02-18T09:18:06.1807130Z }
2020-02-18T09:18:06.1994065Z [command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" storage account show --name contentdeploysa --resource-group ****-****content-deploy-rg"
2020-02-18T09:18:09.6260977Z {
2020-02-18T09:18:09.6261175Z "accessTier": "Hot",
2020-02-18T09:18:09.6261243Z "azureFilesIdentityBasedAuthentication": null,
2020-02-18T09:18:09.6261331Z "creationTime": "2020-02-18T09:16:53.240309+00:00",
2020-02-18T09:18:09.6261431Z "customDomain": null,
2020-02-18T09:18:09.6261488Z "enableHttpsTrafficOnly": true,
2020-02-18T09:18:09.6261584Z "encryption": {
2020-02-18T09:18:09.6261643Z "keySource": "Microsoft.Storage",
2020-02-18T09:18:09.6261722Z "keyVaultProperties": null,
2020-02-18T09:18:09.6261784Z "services": {
2020-02-18T09:18:09.6261852Z "blob": {
2020-02-18T09:18:09.6261908Z "enabled": true,
2020-02-18T09:18:09.6261979Z "keyType": "Account",
2020-02-18T09:18:09.6262048Z "lastEnabledTime": "2020-02-18T09:16:53.318413+00:00"
2020-02-18T09:18:09.6262130Z },
2020-02-18T09:18:09.6262184Z "file": {
2020-02-18T09:18:09.6262240Z "enabled": true,
2020-02-18T09:18:09.6262311Z "keyType": "Account",
2020-02-18T09:18:09.6262380Z "lastEnabledTime": "2020-02-18T09:16:53.318413+00:00"
2020-02-18T09:18:09.6262459Z },
2020-02-18T09:18:09.6262512Z "queue": null,
2020-02-18T09:18:09.6264556Z "table": null
2020-02-18T09:18:09.6264611Z }
2020-02-18T09:18:09.6264677Z },
2020-02-18T09:18:09.6264746Z "failoverInProgress": null,
2020-02-18T09:18:09.6264821Z "geoReplicationStats": null,
2020-02-18T09:18:09.6265090Z "id": "/***8/resourceGroups/-****content-deploy-rg/providers/Microsoft.Storage/storageAccounts/",
2020-02-18T09:18:09.6265201Z "identity": null,
2020-02-18T09:18:09.6265258Z "isHnsEnabled": null,
2020-02-18T09:18:09.6265314Z "kind": "StorageV2",
2020-02-18T09:18:09.6265387Z "largeFileSharesState": null,
2020-02-18T09:18:09.6265449Z "lastGeoFailoverTime": null,
2020-02-18T09:18:09.6265523Z "location": "northeurope",
2020-02-18T09:18:09.6265585Z "name": "********contentdeploysa",
2020-02-18T09:18:09.6265668Z "networkRuleSet": {
2020-02-18T09:18:09.6265725Z "bypass": "AzureServices",
2020-02-18T09:18:09.6265799Z "defaultAction": "Allow",
2020-02-18T09:18:09.6265866Z "ipRules": [],
2020-02-18T09:18:09.6265936Z "virtualNetworkRules": []
2020-02-18T09:18:09.6266003Z },
2020-02-18T09:18:09.6266057Z "primaryEndpoints": {
2020-02-18T09:18:09.6266140Z "blob": "https://********contentdeploysa.blob.core.windows.net/",
2020-02-18T09:18:09.6266224Z "dfs": "https://********contentdeploysa.dfs.core.windows.net/",
2020-02-18T09:18:09.6266320Z "file": "https://********contentdeploysa.file.core.windows.net/",
2020-02-18T09:18:09.6266389Z "internetEndpoints": null,
2020-02-18T09:18:09.6266465Z "microsoftEndpoints": null,
2020-02-18T09:18:09.6266540Z "queue": "https://********contentdeploysa.queue.core.windows.net/",
2020-02-18T09:18:09.6266637Z "table": "https://********contentdeploysa.table.core.windows.net/",
2020-02-18T09:18:09.6266721Z "web": "https://********contentdeploysa.z16.web.core.windows.net/"
2020-02-18T09:18:09.6266800Z },
2020-02-18T09:18:09.6266857Z "primaryLocation": "northeurope",
2020-02-18T09:18:09.6266944Z "privateEndpointConnections": [],
2020-02-18T09:18:09.6267008Z "provisioningState": "Succeeded",
2020-02-18T09:18:09.6267230Z "resourceGroup": "-****content-deploy-rg",
2020-02-18T09:18:09.6267299Z "routingPreference": null,
2020-02-18T09:18:09.6267372Z "secondaryEndpoints": {
2020-02-18T09:18:09.6267447Z "blob": "https://********contentdeploysa-secondary.blob.core.windows.net/",
2020-02-18T09:18:09.6267538Z "dfs": "https://********contentdeploysa-secondary.dfs.core.windows.net/",
2020-02-18T09:18:09.6267623Z "file": null,
2020-02-18T09:18:09.6267679Z "internetEndpoints": null,
2020-02-18T09:18:09.6267755Z "microsoftEndpoints": null,
2020-02-18T09:18:09.6267835Z "queue": "https://********contentdeploysa-secondary.queue.core.windows.net/",
2020-02-18T09:18:09.6267939Z "table": "https://********contentdeploysa-secondary.table.core.windows.net/",
2020-02-18T09:18:09.6268029Z "web": "https://**contentdeploysa-secondary.z16.web.core.windows.net/"
2020-02-18T09:18:09.6268119Z },
2020-02-18T09:18:09.6268177Z "secondaryLocation": "westeurope",
2020-02-18T09:18:09.6268260Z "sku": {
2020-02-18T09:18:09.6268318Z "name": "Standard_RAGRS",
2020-02-18T09:18:09.6268393Z "tier": "Standard"
2020-02-18T09:18:09.6268448Z },
2020-02-18T09:18:09.6268517Z "statusOfPrimary": "available",
2020-02-18T09:18:09.6268582Z "statusOfSecondary": "available",
2020-02-18T09:18:09.6268644Z "tags": {
2020-02-18T09:18:09.6268713Z "Department": "Umkhosi",
2020-02-18T09:18:09.6268774Z "Environment": "test",
2020-02-18T09:18:09.6268845Z "Owner": "",
2020-02-18T09:18:09.6268909Z "Project": "****content Deployment",
2020-02-18T09:18:09.6268989Z "Resource": "Storage Account"
2020-02-18T09:18:09.6269048Z },
2020-02-18T09:18:09.6269119Z "type": "Microsoft.Storage/storageAccounts"
2020-02-18T09:18:09.6269181Z }
2020-02-18T09:18:09.6433516Z [command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" storage container create --name contentapideploymentstate --account-name ********contentdeploysa"
2020-02-18T09:18:12.5041524Z {
2020-02-18T09:18:12.5042073Z "created": true
2020-02-18T09:18:12.5042261Z }
2020-02-18T09:18:12.5043052Z WARNING: No connection string, account key or sas token found, we will query account keys for your storage account. Please try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token for your storage account.
2020-02-18T09:18:12.5113066Z ##[error]Error: WARNING: No connection string, account key or sas token found, we will query account keys for your storage account. Please try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token for your storage account.

2020-02-18T09:18:12.8541515Z ##[section]Finishing: Terraform : initialize

To Reproduce
Create terraform release pipeline. after a task to deploy state resource follow procedure to create normal terraform release pipeline

Expected behavior
Expect terraform to create all resources in Azure

Environment summary
Create terraform release pipeline. after a task to deploy state resource follow procedure to create normal terraform release pipeline. YAML files show above

Additional context
can this be related to this #12193 ?

[honeykatrina]

I have the same error today. The last successful deployment was on Friday 14/02/2020, and today it failed with an error message:

[command]C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" storage container create --name *** --account-name ***"
WARNING: No connection string, account key or sas token found, we will query account keys for your storage account. Please try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token for your storage account.

Update: a workaround found by jason-johnson/azure-pipelines-tasks-terraform#106 (comment)

[Juliehzl]

Hi @Demeleo and @honeykatrina, the warning information is by design, because the credentials for such command should be provided by users. Although CLI can query the credentials for users but when there are very large calls it will break storage resource provider. In this way, we show up such kind of warning message and will make credentials required in the future.

To solve your problem, you need to provide one of the following credentials for such command: account key, sas token, connetion-string or auth-mode.
For more information, you can take a look at https://github.com/Juliehzl/azure-cli/blob/user/doc/use_cli_effectively.md#using-storage-commands.

For example,
C:\windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" storage container create --name *** --account-name *** --account-key ***
If the storage account is widely used in your task, you can store your credentials in environment variables and don't need to provide it in your command.

[honeykatrina]

The Terraform CLI task in Azure DevOps pipelines that we are using doesn't propose to specify any credentials except a key. So it is not possible to pass sas token, connetion-string or auth-mode that causes the pipeline to fail.

[charleszipp]

I do not think this is an issue with the Azure CLI necessarily but, more how the TerraformCLI task interprets failure. The azure cli writes warnings to stderr but still returns exit code 0. The task interprets the existence of text in std err as a failure regardless of the exit code. This will be resolved in the task itself by factoring in the exit code returned by the azure cli to determine if the command was successful or not.

If its by design that warnings are represented in stderr while maintaining zero exit code, then i think this can be closed.

[charleszipp]

FYI, the TerraformCLI extension will no longer fail under the condition above as of 0.4.21.

[Juliehzl]

The Terraform CLI task in Azure DevOps pipelines that we are using doesn't propose to specify any credentials except a key. So it is not possible to pass sas token, connetion-string or auth-mode that causes the pipeline to fail.

In this way, you can use account key in your commands. Please let me know if your problem can be solved with account key provided.

[ghost]

Please don't write warnings to stderr (at least unless that's in a major version increment as it should be considered a breaking change).

stderr should just be for errors :)

[aswini1988]

I have an Azure CLI task used to generate the SAS token and in subsequent steps using the SAS token, I used to access my private storage accounts. Now, this warning message is breaking my Azure CLI task.

[robdmoore]

If you pass --auth-mode key it still presents this warning (WARNING: No connection string, account key or sas token found, we will query account keys for your storage account. Please try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token for your storage account.). I feel like the warning shouldn't show if that is passed in given you are expressly asking for that mode of operation?

[Juliehzl]

If you pass --auth-mode key it still presents this warning (WARNING: No connection string, account key or sas token found, we will query account keys for your storage account. Please try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token for your storage account.). I feel like the warning shouldn't show if that is passed in given you are expressly asking for that mode of operation?

Please provide your account key or use --auth-mode login if you have required roles for the storage account. One of the following roles are required for --auth-mode login:

    "Storage Blob Data Contributor"
    "Storage Blob Data Reader"
    "Storage Queue Data Contributor"
    "Storage Queue Data Reader"

[robdmoore]

Hi @Juliehzl,

I guess my point is that the --auth-mode key option is designed for the existing behaviour. From the docs: The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided.

You commented above with this:

... the warning information is by design, because the credentials for such command should be provided by users. Although CLI can query the credentials for users but when there are very large calls it will break storage resource provider. In this way, we show up such kind of warning message and will make credentials required in the future.

But, that's not what the warning says (that --auth-mode key will be deprecated in the future) so it's confusing. Furthermore, the documentation doesn't indicate that --auth-mode key will be deprecated.

I deliberately didn't want to add an account key in this instance because I'm using it in a script to teach people how to use the Azure CLI so I'm trying to keep things simple and not introduce more concepts than needed.

If I use --auth-mode login I actually get an error when trying to access the blob storage because the user doesn't have access, even though it's a subscription admin. Although on reflection, maybe that's because it's a co-admin rather than assigned as an admin using IAM, hmmm. Either way, in my opinion, the current warning shouldn't show when you add --auth-mode key, or possibly a different warning should show indicating that option will be deprecated in the future (if it is indeed slated for that).

[Juliehzl]

@robdmoore You're definitely right!!
--auth-mode key is a legacy authentication, which will query keys for users. Your suggestion is very good to us, and I will refine the warning message according to your suggestion.

For --auth-mode login, what you need is storage related RBAC roles, which will control some data related permissions. For more information you can refer to https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal#rbac-roles-for-blobs-and-queues.

There are two ways in discussion for your scenario:

1. Provide a way to users to get the required RBAC roles in azure cli.
2. CLI will require the roles for users if you are the admin or owner of the storage account.

[robdmoore]

Awesome! Thanks. That sounds great.

[mcalnd70]

Getting the same busted message and its nothing to do with Terraform. Its an Azure CLI task running Azure CLI commands in a Powershell script...using the vmimage 'windows-latest' from Microsoft Hosted Agents....

            - task: AzureCLI@2
              displayName: 'Azure CLI : Provision Storage Account'
              inputs:
                azureSubscription: 'MyAzureServiceConnection'
                scriptType: ps
                scriptPath: '$(System.ArtifactsDirectory)/AZDO_Pipeline_Scripts/scripts/AzureCLI/StorageAccount/Provision_StorageAccount_Env.ps1'
                arguments: '-saname $(azsaname1) -resourcegroup $(azresourcegroup1) -location $(azlocation) -sku $(azsasku1)'

Returns back with...

az : No connection string, account key or sas token found, we will query account keys for your storage account. Please 
try to use --auth-mode login or provide one of the following parameters: connection string, account key or sas token 
for your storage account.
At D:\a\1\a\AZDO_Pipeline_Scripts\scripts\AzureCLI\StorageAccount\Provision_StorageAccount_Env.ps1:26 char:1
+ az storage blob service-properties delete-policy update --days-retain ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (No connection s...torage account.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
##[error]Script failed with exit code: 1

This is my script...its been working for months.

param (
    [Parameter(Mandatory=$true)]
    [string]$saname,
    [Parameter(Mandatory=$true)]
    [string]$resourcegroup,
    [Parameter(Mandatory=$true)]
    [string]$location,
    [Parameter(Mandatory=$true)]
    [string]$sku
)
#
az storage account create --name $saname --resource-group $resourcegroup --location $location --sku $sku
# set soft delete on for 30 days
az storage blob service-properties delete-policy update --days-retained 30  --account-name $saname --enable true
az storage blob service-properties delete-policy show --account-name $saname

Is a fix or workaround coming please?

EDIT: OK I found that by adding --auth-mode login to each of the "az storage blob service-properties" commands it passes

[azilber]

I'm seeing this issue with the az cli (2.5.1), except it throws the error, then it just goes through and works like it did before (v 2.0 of the cli) and uses the MSI. BUT, if I add --auth-mode login, then it just fails with:

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader"

There's no --auth-mode msi or something similar to provide the old behavior? This just seems broken...

[Juliehzl]

I'm seeing this issue with the az cli (2.5.1), except it throws the error, then it just goes through and works like it did before (v 2.0 of the cli) and uses the MSI. BUT, if I add --auth-mode login, then it just fails with:

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader"

There's no --auth-mode msi or something similar to provide the old behavior? This just seems broken...

--auth-mode login will require users to have Storage related RBAC roles as shown here: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad#assign-rbac-roles-for-access-rights.

[Juliehzl]

To block the warning message, you can add --only-show-errors in your command.

[Juliehzl]

In addition, warning message is refined in PR #13963

[PaulCharlton]

this is nowhere near resolved.
in a pipeline, one can no longer do

1. az storage account create
2. az storage share create

simply put, the contributor role that allows #1 to succeed does not allow #2 to succeed (because it needs the special SA role) and there is no way in a pipeline to assign the IAM permissions for the SA role without giving the pipeline OWNER access over the subscription.

what did I miss?

[runemy]

@charleszipp with reference to: #12242 (comment)

I get this in version 0.5.12

2020-07-22T10:19:13.1073835Z ==============================================================================
2020-07-22T10:19:13.1074207Z Task         : Terraform CLI
2020-07-22T10:19:13.1074486Z Description  : Execute terraform cli commands
2020-07-22T10:19:13.1074754Z Version      : 0.5.12
2020-07-22T10:19:13.1074990Z Author       : Charles Zipp
2020-07-22T10:19:13.1075240Z Help         : 
2020-07-22T10:19:13.1075524Z ==============================================================================
2020-07-22T10:19:13.5399513Z [command]/opt/hostedtoolcache/terraform/0.12.25/x64/terraform version
2020-07-22T10:19:13.5768637Z Terraform v0.12.25
2020-07-22T10:19:13.5769336Z 
2020-07-22T10:19:13.5769871Z Your version of Terraform is out of date! The latest version
2020-07-22T10:19:13.5770518Z is 0.12.28. You can update by downloading from https://www.terraform.io/downloads.html
2020-07-22T10:19:13.5785297Z 
2020-07-22T10:19:13.5905267Z [command]/opt/hostedtoolcache/terraform/0.12.25/x64/terraform init
2020-07-22T10:19:13.6208551Z �[0m�[1mInitializing modules...�[0m
2020-07-22T10:19:13.6230838Z - az_drift_hub_test01 in modules/nhn-hub-expressroute
2020-07-22T10:19:13.6274407Z 
2020-07-22T10:19:13.6275510Z �[0m�[1mInitializing the backend...�[0m
2020-07-22T10:19:13.6282005Z �[31m
2020-07-22T10:19:13.6283414Z �[1m�[31mError: �[0m�[0m�[1mError building ARM Config: Azure CLI Authorization Profile was not found. Please ensure the Azure CLI is installed and then log-in with `az login`.�[0m
2020-07-22T10:19:13.6284318Z 
2020-07-22T10:19:13.6285139Z �[0m�[0m�[0m
2020-07-22T10:19:13.6303580Z 
2020-07-22T10:19:13.6429582Z ##[error]Terraform command 'init' failed with exit code '1'.:  Error building ARM Config: Azure CLI Authorization Profile was not found. Please ensure the Azure CLI is installed and then log-in with `az login`.
2020-07-22T10:19:14.1792417Z ##[section]Finishing: Terraform Init```

What to do?

Br. Rune Myrhaug