Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: building account: could not acquire access token to parse claims: #586

Open
johnwildes opened this issue Jan 8, 2025 · 1 comment
Open

Error: building account: could not acquire access token to parse claims: #586

johnwildes opened this issue Jan 8, 2025 · 1 comment
Labels
question Further information is requested

Comments

@johnwildes
Copy link

I have authenticated to az cli using my entraID account. I used az login --use-device-code and set my default subscription.

I ran the command aztfexport resource-group <rgname> and receive the error listed below.

Any idea why I would be getting this error if I'm authenticated locally on my machine, where is aztfexport trying to use my credential to authenticate that I would receive a conditional access error if it's supposed to be running on my machine where I'm already authenticated.

I have no issues running az cli commands locally or even in the cloud shell.

exit status 1

  Error: building account: could not acquire access token to parse claims: running Azure CLI: exit status 1: ERROR:
  AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through
  Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors. Trace ID:
  105fd51e-db51-4a7e-883c-f8cb9bf81800 Correlation ID: 18c9e6ca-314d-4de2-96dd-5549adaba347 Timestamp: 2025-01-08


  az login --scope https://graph.microsoft.com/.default

    with provider["registry.terraform.io/hashicorp/azurerm"],
    on C:\Users\914239\AppData\Local\Temp\aztfexport-3758608741\provider.tf line 1, in provider "azurerm":
     1: provider "azurerm" {
@magodo
Copy link
Collaborator

magodo commented Jan 8, 2025

@johnwildes Your organization has enabled the conditional access policy that forbidens logging in with the scope of msgraph, under unsupported OS (presumably it is Linux, as I encountered this as well). You can reproduce this by running az login --scope https://graph.microsoft.com/.default direcatly.

The azurerm provider requires the msgraph token during its initialization. That's why aztfexport raised this error. However, if you use azapi provider (by specifying --provider-name azapi), it shall only request the arm scope. You can have a try.

Otherwise, you can try other auth method like SP + secret to see how it goes.. (Sorry that I don't have a Linux machine right now, so can't test this...)

@magodo magodo added the question Further information is requested label Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnwildes @magodo