aztfexport: aztfy won't pick up token from new az login

When I run aztfy rg --append --name-pattern “*” RG1 I get a 401 Unauthorized error stating that my access token is for one of my other Azure tenants. If I run az login and log in to the tenant I want to use, then run az account set --subscription to the subscription within that tenant, the error persists. I have re-tried az login several times with the same issue recurring.

The full text:


exporting arm template of resource group RG1: POST https://management.azure.com/subscriptions/correctsubscription/resourcegroups/RG1/exportTemplate
  --------------------------------------------------------------------------------                                                                                                                              
  RESPONSE 401: 401 Unauthorized                                                                                                                                                                                
  ERROR CODE: InvalidAuthenticationTokenTenant                                                                                                                                                                  
  --------------------------------------------------------------------------------                                                                                                                              
  {                                                                                                                                                                                                             
    "error": {                                                                                                                                                                                                  
      "code": "InvalidAuthenticationTokenTenant",                                                                                                                                                               
      "message": "The access token is from the wrong issuer 'https://sts.windows.net/incorrectsubscriptionguid/'. It must match one of the tenants                                                   
  'https://sts.windows.net/don'tknowwhatthisguidis/,https://sts.windows.net/correctsubscriptionguid/' associated with this subscription. Please use any authority (URL) from          
  'https://login.windows.net/don'tknowwhatthisguidis,https://login.windows.net/correctsubscriptionguid' to get the token. Note, if the subscription is transferred to another tenant  
  there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back      
  later."

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 21

Most upvoted comments

aztfy rg --log-level DEBUG --log-path log.txt --subscription-id subID rgName

listing resource set: executing ARG query “Resources | where resourceGroup =~ "someRGname" | order by id desc”: DefaultAzureCredential: failed to acquire a token. Attempted credentials: EnvironmentCredential: missing environment variable AZURE_TENANT_ID
ManagedIdentityCredential: IMDS token request timed out

Also, could you please elaborate more about Also when i execute the command in PowerShell it doesn’t look like its processed in the same ps scope?

  • in PowerShell 7, When i execute aztfy rg someRGname
  • Azure Terrafy [dot thing] Initializing.. is shown then the NoValidSubscriptionsInQueryRequest error
  • I have to control+C to get back to the PowerShell prompt, all the aztfy output is gone

288

fyi we are using AzureUSGovernment

+1
Flightdeck73 on Mar 14, 2023
Read more comments on GitHub
← autorest: Return the body of HttpOperationExceptions (to view the detail)
aztfexport: Imported properties fails validation on terraform plan because of case sensitivity. →