Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by UranianSentinel470

Stack OverflowFrom Stack Overflow

Why Does AzCopy Login Fail with --identity in Azure DevOps Workload Identity Federation?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

I'm trying to copy files from an Azure DevOps pipeline to an Azure Storage account using AzCopy with workload identity federation. I created a service connection (Automatic, workload identity federation) which automatically registers an app and assigns it the Storage Blob Data Contributor role on the storage account.

I use the following YAML code for the pipeline to log in and perform the copy:

YAML
trigger:
  batch: false
  branches:
    include:
      - dev

pool:
  vmImage: ubuntu-latest

steps:
  - task: AzureCLI@2
    inputs:
      addSpnToEnvironment: true
      azureSubscription: 'DevOps_connect'
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        # Inherit Azure CLI service connection
        export ARM_CLIENT_ID=$servicePrincipalId
        export ARM_OIDC_TOKEN=$idToken
        export ARM_TENANT_ID=$tenantId

        echo "ARM_CLIENT_ID: $ARM_CLIENT_ID"
        echo "ARM_OIDC_TOKEN: $ARM_OIDC_TOKEN"
        echo "ARM_TENANT_ID: $ARM_TENANT_ID"
     
        azcopy login --identity

The command fails with the following error:

BASH
> Failed to perform login command:
> ManagedIdentityCredential: failed to authenticate a system assigned identity. The endpoint responded with {"error":"invalid_request","error_description":"Identity not found"}

It seems that using the --identity flag is attempting to authenticate with a system-assigned managed identity, which isn’t available on the hosted pipeline agent. Am I missing any settings or environment variable adjustments to successfully authenticate with the service connection in this scenario?

1

Comments 0

Answers 3

Views 129

3 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

The error

ManagedIdentityCredential: failed to authenticate a system assigned identity. The endpoint responded with {"error":"invalid_request","error_description":"Identity not found"}

indicates that AzCopy is being asked to use an identity (with the --identity flag) that isn’t available on the hosted pipeline agent. In other words, the command

  azcopy login --identity

expects a system‐assigned (or user‐assigned) managed identity available to the runtime environment (for example, on an Azure VM or App Service with a managed identity assigned). However, in an Azure DevOps pipeline on a Microsoft-hosted agent, this managed identity does not exist.

Why It Fails

  • Managed Identity Unavailable: The pipeline agent (ubuntu-latest) does not expose a managed identity since it is not running in an environment that has one.
  • Mismatch in Authentication Method: While your service connection uses workload identity federation (a form of service principal authentication), the command you’re using (with --identity) tries to retrieve a managed identity from the host environment.

How to Fix

Option 1: Use Service Principal Credentials Directly

Since you already have the service principal details available from the pipeline environment variables (servicePrincipalId, idToken, tenantId), you can log in to AzCopy with a service principal rather than using a managed identity. For example, if AzCopy supports passing a service principal and token (or password/certificate), adjust your login command accordingly. Verify the AzCopy authentication docs for the proper parameters.

A possible alternative might be:

BASH
azcopy login --service-principal --application-id "$servicePrincipalId" --tenant-id "$tenantId" --service-principal-key "$servicePrincipalKey"

Note: In the above example, you would need to have the service principal key available as an environment variable. With workload identity federation using OIDC, check whether AzCopy has updated support to consume an OIDC token directly (if not, you might need to adjust your authentication approach).

Option 2: Perform an Azure CLI Login and Reuse Its Credentials

If the AzureCLI@2 task is already logging you in (because of azureSubscription being specified), you could potentially avoid a separate AzCopy login. Instead, you can rely on the authenticated context provided by the Azure CLI. You could try to run your AzCopy command after ensuring that the Azure CLI is logged in. For example:

BASH
az login --allow-no-subscription
# Now run AzCopy commands that might leverage this context
azcopy copy "source" "destination" --recursive

Note: Make sure that the necessary permissions (Storage Blob Data Contributor) are in place for the service principal used in your service connection.

Summary

The issue is that your build agent does not have a managed identity, so using “azcopy login --identity” fails. You need to authenticate using the service principal details provided by the Azure DevOps service connection (or use a different login method that fits the agent's environment). Adjust your authentication method accordingly to resolve the error.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by CelestialSurveyor907 1 month ago

0

In Azure Pipelines, you can use the AzureFileCopy@6 task to copy files into to Azure Blob Storage. This task version supports Workload Identity Federation and uses Azure RBAC to access Azure Storage.

The following are the main configuration for this:

  1. At first, you need to create an Azure Resource Manager service connection (ARM service connection) using Workload Identity Federation, if you do not have a such ARM service connection.
    enter image description here

  2. Ensure the App registration (or Managed identity) used by the ARM service connection has the "Storage Blob Data Contributor" role assigned on the Storage account.
    enter image description here

  3. Then on the AzureFileCopy@6 task, you can directly use the ARM service connection like as below.

    YAML
    - task: AzureFileCopy@6
  displayName: 'Copy Files to Azure Storage Account'
  inputs:
    SourcePath: 'path/to/the/source/directory'
    azureSubscription: 'MyArmConnection'
    Destination: 'AzureBlob'
    storage: 'mystorageaccount'
    ContainerName: 'mycontainer'

No comments yet.

Answer by PlanetaryScholar144 1 month ago

0

Consider using the AZCOPY_AUTO_LOGIN_TYPE environment variable, which provides the ability to authorize without using the azcopy login command:

YAML
steps:
  - task: AzureCLI@2
    inputs:
      addSpnToEnvironment: true
      azureSubscription: 'DevOps_connect'
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        # ...
    env:
      AZCOPY_AUTO_LOGIN_TYPE: AZCLI
      # other environment variables

See:

No comments yet.

Discussion

No comments yet.

Similar Posts

Why does bigrquery fail to authenticate with WIF credentials in a Docker GitHub Actions environment?