ERROR: AADSTS700024: Client assertion is not within its valid time range

[guidoiaquinti]

👋 Hi! I’m using the azure/login action for CD and I’m often getting an error when the job execution takes more than a couple of minutes from the initial login.

ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2021-11-26T09:44:41.0193003Z, expiry time of assertion 2021-11-26T09:31:56.0000000Z.

Is there a way to extend the validity of the token via a parameter? The aws-actions/configure-aws-credentials action does it via a role-duration-seconds flag:

The default session duration is 6 hours when using an IAM User to assume an IAM Role [..] . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created.

ref: https://github.com/aws-actions/configure-aws-credentials/blob/master/README.md#assuming-a-role

Thank you! 🙇

[BALAGA-GAYATRI]

@kjyam98 @N-Usha @udayxhegde Is this Doable in Azure?

[udayxhegde]

@BALAGA-GAYATRI I am not sure I understand the question: what is Doable in Azure? The issue seems to be that the github token has expired when it is presented to Azure AD

[guidoiaquinti]

@udayxhegde the problem I’m trying to solve is customise the expiration time of the token. This is useful if you plan to run operations on the Azure platform with timeframes longer than the standard validity.

Example:

1. Provisioning of the AKS cluster
2. deploy a stack
3. execute e2e tests
4. destruction of the AKS cluster

If the timeframe between steps 1 and 4 is longer than the maximum validity of the token, you will encounter an error similar to the one I posted above.

It would be useful to customise the token validity via azure/login. This is something that other cloud platforms already support.

Example:

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
        role-duration-seconds: 3600

[BALAGA-GAYATRI]

Hey @guidoiaquinti, This is currently not being implemented in OIDC login mechanism. If you want to leverage the auto refresh mechanism of token, you may use the SPN login by setting your deployment credentials using - https://github.com/Azure/login#configure-a-service-principal-with-a-secret
In this way you will not face token expiration issue.

[guidoiaquinti]

Hey @guidoiaquinti, This is currently not being implemented in OIDC login mechanism. If you want to leverage the auto refresh mechanism of token, you may use the SPN login by setting your deployment credentials using - https://github.com/Azure/login#configure-a-service-principal-with-a-secret In this way you will not face token expiration issue.

Thank you for your reply Balaga 🙇

Any plan to add this feature to the Azure roadmap? I'm trying to avoid generating and hardcoding long-term secrets if possible.

[BALAGA-GAYATRI]

Yes @guidoiaquinti. The refresh token mechanism is yet to be implemented.

[guidoiaquinti]

I understand but is there any plan to implement it?

…

On Tue, 14 Dec 2021 at 09:51, Balaga Gayatri ***@***.***> wrote: Yes @guidoiaquinti <https://github.com/guidoiaquinti>. The refresh token mechanism is yet to be implemented. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#180 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA6Z3GLBB73XKGBKYRE4XC3UQ4AS3ANCNFSM5I2JEVKQ> .

[BALAGA-GAYATRI]

Yes. But we can't commit to a specific timeline for this right now. We will keep you informed.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[kjyam98]

@BALAGA-GAYATRI please assign to udayxhegde

[udayxhegde]

@kjyam98, that is not the right assignment

@BALAGA-GAYATRI please assign to udayxhegde

@kjyam98 , @BALAGA-GAYATRI: what are you expecting by assigning to me? did you have a specific design in mind that you need my help?

[BALAGA-GAYATRI]

@kjyam98, that is not the right assignment

@BALAGA-GAYATRI please assign to udayxhegde

@kjyam98 , @BALAGA-GAYATRI: what are you expecting by assigning to me? did you have a specific design in mind that you need my help?

@udayxhegde
Sorry for the confusion. This was already closed over email. We will be working with the CLI team for the changes required in CLI and in Action for the auto-refresh mechanism for addressing the same. Have assigned back the issue to my team.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[lpalerm]

Can this be documented in the federated credentials setup steps? We are having the same issue.

[github-actions]

This issue is idle because it has been open for 14 days with no activity.

[BartDecker]

Has anyone found a workaround for the tokens that expire after ~1h? I guess you could detect that case and run the login action again?

Indeed just a re-login. We look at the average runtime of a workflow and put a re-login at the appropriate point in the workflow. Would be nice if the token time is configurable as part of the login action.

[dionhaefner]

I ended up just using a shell script login.sh for OIDC login (instead of the login action):

#!/bin/bash
set -e

# get JWT from GitHub's OIDC provider
# see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc
jwt_token=$(
    curl \
        -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
        "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" \
        --silent \
    | jq -r ".value"
)

# perform OIDC token exchange
az login \
    --service-principal -u $AZURE_CLIENT_ID \
    --tenant $AZURE_TENANT_ID \
    --federated-token $jwt_token \
    -o none

az account set \
    --subscription $AZURE_SUBSCRIPTION_ID \
    -o none

Then you can keep track of time in long-running scripts and renew the token every 50 minutes or so.

[surajssd]

Hit this issue on Ubuntu based workflow. We login upfront, then try to do an image build (which runs for 10-15 mins), meanwhile the token is expired and Hashicorp packer fails because the token has expired. It was only valid for 5 mins.

Here is the log from that failed step:

...
peer-pod-ubuntu.azure-arm.ubuntu: output will be in this color.

==> peer-pod-ubuntu.azure-arm.ubuntu: Running builder ...
==> peer-pod-ubuntu.azure-arm.ubuntu: Getting tokens using Azure CLI
==> peer-pod-ubuntu.azure-arm.ubuntu: unable to get token from azure cli: Invoking Azure CLI failed with the following error: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-05-17T01:01:18.0483732Z, assertion valid from 2023-05-17T00:45:33.0000000Z, expiry time of assertion 2023-05-17T00:50:33.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
==> peer-pod-ubuntu.azure-arm.ubuntu: Trace ID: 2b484d1e-c5db-483f-9502-c274b6715c00
==> peer-pod-ubuntu.azure-arm.ubuntu: Correlation ID: 97a5e8bf-8386-4f13-8db0-8cc9a18f4fad
==> peer-pod-ubuntu.azure-arm.ubuntu: Timestamp: 2023-05-17 01:01:18Z
==> peer-pod-ubuntu.azure-arm.ubuntu: Interactive authentication is needed. Please run:
==> peer-pod-ubuntu.azure-arm.ubuntu: az login
==> peer-pod-ubuntu.azure-arm.ubuntu:
Build 'peer-pod-ubuntu.azure-arm.ubuntu' errored after 1 second 393 milliseconds: Invoking Azure CLI failed with the following error: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-05-17T01:01:18.0483732Z, assertion valid from 2023-05-17T00:45:33.0000000Z, expiry time of assertion 2023-05-17T00:50:33.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
Trace ID: 2b484d1e-c5db-483f-9502-c274b6715c00
Correlation ID: 97a5e8bf-8386-4f13-8db0-8cc9a18f4fad
Timestamp: 2023-05-17 01:01:18Z
Interactive authentication is needed. Please run:
az login


==> Wait completed after 1 second 393 milliseconds

==> Some builds didn't complete successfully and had errors:
--> peer-pod-ubuntu.azure-arm.ubuntu: Invoking Azure CLI failed with the following error: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-05-17T01:01:18.0483732Z, assertion valid from 2023-05-17T00:45:33.0000000Z, expiry time of assertion 2023-05-17T00:50:33.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
Trace ID: 2b484d1e-c5db-483f-9502-c274b6715c00
Correlation ID: 97a5e8bf-8386-4f13-8db0-8cc9a18f4fad
Timestamp: 2023-05-17 01:01:18Z
Interactive authentication is needed. Please run:
az login


==> Builds finished but no artifacts were created.
make: *** [Makefile:25: podvm-c491ecd-amd64] Error 1
Error: Process completed with exit code 2.

The docs say that the expiry time is configurable. But they don't say how.

This expiration time is further configurable in Azure

[YanaXu]

Hi @surajssd , have you checked my comment? Have you upgraded all Azure PowerShell versions, including the manually installed one or Azure PowerShell Action?

[surajssd]

@YanaXu not using Powershell. Only Ubuntu/Linux based actions.

[YanaXu]

@surajssd , in this issue, we're talking about the Azure PowerShell login issue with OIDC with the service principle. If you do not use Azure PowerShell at all, we are meeting another issue. Let's see what's wrong in your case.
Could you share the workflow with me? You can mask the sensitive information, but let me know which actions and what general parameters you are using.

[mestrada-redstage]

I have this error when when the build take more that 10 min

runner: ubuntu-latest
and use manage identity for login into my AKS cluster

[YanaXu]

@mestrada-redstage, can you share the workflow with us?

[mestrada-redstage]

@YanaXu This are the steps
steps:

  - name: Checkout
    uses: actions/checkout@v3

  - name: Set env branch short name
    run: echo "BRANCH_NAME=${TRIGGER_GITHUB_REF#refs/heads/}" >> $GITHUB_ENV

  # setup Docker buld action
  - name: Set up Docker Buildx
    id: buildx
    uses: docker/setup-buildx-action@v1

  - name: Login to DockerHub
    uses: docker/login-action@v2
    with:
      registry: ${{ secrets.ACR_URL }}
      username: ${{ secrets.ACR_LOGIN }}
      password: ${{ secrets.ACR_KEY }} 

  - name: Setup anvironemnt name
    run: |
     echo "ENV_STR=${BRANCH_NAME/development/dev}" >> $GITHUB_ENV
     cat $GITHUB_ENV

  - uses: azure/login@v1
    with:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      
  - uses: azure/use-kubelogin@v1
    with:
      kubelogin-version: 'v0.0.24'
      
  - uses: azure/setup-kubectl@v3
   
  - uses: azure/aks-set-context@v3
    with:
      resource-group: #########
      cluster-name: #######

  - name: build-deploy
    shell: bash
    run: |
      cd ${{ matrix.PROJECT_PATH }}
      chmod +x ../build.sh
      ACR_URL=${{ secrets.ACR_URL }} ACR_KEY=${{ secrets.ACR_KEY }} ACR_LOGIN=${{ secrets.ACR_LOGIN }} ../build.sh ${{ env.PROJECT_NAME }} ${{ env.TRIGGER_GITHUB_SHA }} ${{ github.event.inputs.destin }} ${{ env.PROJECT_NAME }} ${{ matrix.PROJECT_CONTEXT }}

[YanaXu]

@mestrada-redstage ,

In this issue, we talked about Azure PowerShell login problem with OIDC.
But your workflow seems using Azure Cli.
I think you were talking about this step which failed after 10 min.

  - name: build-deploy
    shell: bash
    run: |
      cd ${{ matrix.PROJECT_PATH }}
      chmod +x ../build.sh
      ACR_URL=${{ secrets.ACR_URL }} ACR_KEY=${{ secrets.ACR_KEY }} ACR_LOGIN=${{ secrets.ACR_LOGIN }} ../build.sh ${{ env.PROJECT_NAME }} ${{ env.TRIGGER_GITHUB_SHA }} ${{ github.event.inputs.destin }} ${{ env.PROJECT_NAME }} ${{ matrix.PROJECT_CONTEXT }}

Could you re-run this workflow with debug mode and copy the workflow's output to us?
And if it's not sensitive, please provide the content of "build.sh" too.
Thanks.

[jbelien]

Also hitting the same issue.
Here is the log (with debug):

##[debug]Evaluating condition for step: 'Get K8s context'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Get K8s context
##[debug]Loading inputs
##[debug]Evaluating: vars.AZURE_RESOURCE_GROUP
##[debug]Evaluating Index:
##[debug]..Evaluating vars:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_RESOURCE_GROUP'
##[debug]=> 'rg-***'
##[debug]Result: 'rg-***'
##[debug]Evaluating: vars.AKS_CLUSTER_NAME
##[debug]Evaluating Index:
##[debug]..Evaluating vars:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AKS_CLUSTER_NAME'
##[debug]=> 'aks-***'
##[debug]Result: 'aks-***'
##[debug]Loading env
Run azure/aks-set-context@v3
  with:
    resource-group: rg-***
    cluster-name: aks-***
    admin: false
    use-kubelogin: true
  env:
    CONTAINER_NAME: ***
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
##[debug]Writing kubeconfig to /home/runner-admin/actions-runner/_work/_temp/kubeconfig_1691671866005
/usr/bin/az aks get-credentials --resource-group rg-*** --name aks-*** -f /home/runner-admin/actions-runner/_work/_temp/kubeconfig_1691671866005
ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-08-10T12:51:06.6841503Z, assertion valid from 2023-08-09T15:06:56.0000000Z, expiry time of assertion 2023-08-09T15:11:56.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials .
Trace ID: 070e96fc-76e1-46a8-88f7-055a0d489900
Correlation ID: 2ce46b3e-5dcf-42ed-a497-33231a9dc308
Timestamp: 2023-08-10 12:51:06Z
Interactive authentication is needed. Please run:
az login
Error: Error: The process '/usr/bin/az' failed with exit code 1
##[debug]Node Action run completed with exit code 1
##[debug]AZURE_HTTP_USER_AGENT='GitHubActions/azure/aks-set-context(6ff0b0b4611939515451a12aa8fec15e3dd86d30d7e8c0569dd2ded2113f8931; 5809746149)'
##[debug]AZUREPS_HOST_ENVIRONMENT='GitHubActions/azure/aks-set-context(6ff0b0b4611939515451a12aa8fec15e3dd86d30d7e8c0569dd2ded2113f8931; 5809746149)'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Get K8s context

Azure/aks-set-context#101

[hansenms]

I just wanted to chime in here, we are experiencing the same problem that the client assertion expires after 5 minutes and az aks get-credentials is failing in the same way as described above. Other az commands work, so it is possible that the token is not refreshed for that command?

We use a script (along the lines of #180 (comment) by @dionhaefner) right in front of calls to az aks get-credentials in our pipelines to work around this.

[mcolussi-bigw]

Issue is occurring for us as well. We use null_resource terraform resources to run custom scripts that perform commands via az cli, the automated tests are failing because the token expires after 5 minutes, before the scripts execute.

Our current only work-around is to ensure the tests that run AZ cli commands run first before the token expires. 5 minutes is a very short time range to do anything useful.

[JamesDawson]

Are there any plans to support idTokens with a lifetime longer than 10 minutes? This constraint has sadly forced us back to using SP authentication with client secrets.

We have a scripted deployment process (i.e. runs as a single GitHub Actions step using azure/powershell@v1) that runs for longer than 10 minutes. It includes functionality towards the end that requires an access token from another service (i.e. a data plane operation), which fails as the idToken has expired.

As a tangible example of this scenario, consider using the Az.Synapse PowerShell module to make configuration changes to a Synapse Workspace that has just been provisioned by a preceding ARM deployment (lasting longer than 10 minutes).

UPDATE: When testing an equivalent repro with the recently announced preview of federated credentials for Azure DevOps, we do not see the same issue.

[YanaXu]

Hi @mestrada-redstage , @jbelien, @hansenms, @mcolussi-bigw , could you open another issue and provide your workflow file and the debug log? Because this issue is about the Azure PowerShell and it's fixed in Azure PowerShell 9.2 as in comment. But in your description, it seems there are other issues in Azure CLI or even other actions. Please open a new issue for your case for better tracking.

[YanaXu]

Are there any plans to support idTokens with a lifetime longer than 10 minutes? This constraint has sadly forced us back to using SP authentication with client secrets.

We have a scripted deployment process (i.e. runs as a single GitHub Actions step using azure/powershell@v1) that runs for longer than 10 minutes. It includes functionality towards the end that requires an access token from another service (i.e. a data plane operation), which fails as the idToken has expired.

As a tangible example of this scenario, consider using the Az.Synapse PowerShell module to make configuration changes to a Synapse Workspace that has just been provisioned by a preceding ARM deployment (lasting longer than 10 minutes).

UPDATE: When testing an equivalent repro with the recently announced preview of federated credentials for Azure DevOps, we do not see the same issue.

@JamesDawson , do you mean the toke generated by GitHub? I think it's out of the scope of this Action. Can you raise an issue for GitHub Action Core?

[YanaXu]

I'll close this issue.

• If you meet an Azure PowerShell token expiration issue, please refer to comment .
• If you meet other token expiration issues, please open a new issue for it. Provide your workflow file and debug logs for further analysis.

[jbelien]

Hi @mestrada-redstage , @jbelien, @hansenms, @mcolussi-bigw , could you open another issue and provide your workflow file and the debug log? Because this issue is about the Azure PowerShell and it's fixed in Azure PowerShell 9.2 as in comment. But in your description, it seems there are other issues in Azure CLI or even other actions. Please open a new issue for your case for better tracking.

Sure, I already opened an issue here: Azure/aks-set-context#101

[krukowskid]

hey! I am still facing this issue when running dotnet tests in github runner.

Azure.Identity.CredentialUnavailableException : DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
...
- Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-10-31T11:53:04.4424859Z, assertion valid from 2023-10-31T11:39:49.0000000Z, expiry time of assertion 2023-10-31T11:44:49.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: d64c537e-1d94-4274-9012-c0d7590f1c00 Correlation ID: 5c769bb7-e85a-4557-ba28-92f8eca1c4ff Timestamp: 2023-10-31 11:53:04Z
	Interactive authentication is needed. Please run:
	az login

I am using 1.4.6 action version and 1.10.4 of azure.identity package. Problem does not occur on integration tests where almost all of them are using token, but if I am running API/UI tests where I am using identity in one or two tests it looks like token is not being refreshed if its not used for 5minutes. Any ideas or workaround?

[jantorep]

Any update on this case? This is driving me mad creating Enterprise Applications for our deployments.

New-AzADApplication_CreateExpanded: /home/runner/.local/share/powershell/Modules/Az.Resources/6.12.1/MSGraph.Autorest/custom/New-AzADApplication.ps1:698
Line |
698 | $app = Az.MSGraph.internal\New-AzADApplication @PSBoundParameters
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| A configuration issue is preventing authentication - check the error
| message from the server for details. You can modify the configuration in
| the application registration portal. See
| https://aka.ms/msal-net-invalid-client for details. Original exception:
| AADSTS700024: Client assertion is not within its valid time range.
| Current time: 2023-12-22T12:03:41.4945531Z, assertion valid from
| 2023-12-22T11:48:18.0000000Z, expiry time of assertion
| 2023-12-22T11:53:18.0000000Z. Review the documentation at
| https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: e36c2ebe-03f4-427b-b341-9b346cd1bb00 Correlation ID: 71ce361d-10ed-4080-a049-6e15eb7bdee9 Timestamp: 2023-12-22 12:03:41Z

[YanaXu]

Hi @krukowskid and @jantorep , it's a closed issue. We may miss comments from a closed issue. Please check my comment for this issue. And If your issue is not solved, it means it's a new issue. Please open a new issue then, provide your workflow file, debug log for further analysis. Thanks.

[justinmchase]

Utmost respect for the maddest lad @dionhaefner for this comment #180 (comment)

Which allowed me to work around this issue in terraform with the following:

data "azurerm_client_config" "current" {
}

data "external" "login" {
  program = ["bash", "${path.module}/scripts/refresh.sh"]
  query = {
    client_id       = data.azurerm_client_config.current.client_id
    tenant_id       = data.azurerm_client_config.current.tenant_id
    subscription_id = data.azurerm_client_config.current.subscription_id
  }
}

#!/bin/bash
set -e

eval "$(jq -r '@sh "AZURE_CLIENT_ID=\(.client_id) AZURE_TENANT_ID=\(.tenant_id) AZURE_SUBSCRIPTION_ID=\(.subscription_id)"')"

if [[ "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" == "" ]] || [[ "$ACTIONS_ID_TOKEN_REQUEST_URL" == "" ]]
then
  # This is ok, we're probably running locally
  jq -n '{}'
  exit 0
fi

# get JWT from GitHub's OIDC provider
# see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc
jwt_token=$(
  curl "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange" \
    -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
    --silent \
  | jq -r ".value"
)

# perform OIDC token exchange
az login \
  --service-principal -u $AZURE_CLIENT_ID \
  --tenant $AZURE_TENANT_ID \
  --federated-token $jwt_token \
  -o none

az account set \
  --subscription $AZURE_SUBSCRIPTION_ID \
  -o none

jq -n '{}'

This allows me to refresh the token in the middle of a long terraform apply in a few places where I need to bust out into a null_resource or data external script and use the az cli.

module "auth_refresh" {
  source = "../../helpers/azure_auth_refresh"
}

resource "null_resource" "redirect_uris" {
  // ...
}