AZCOPY_AUTO_LOGIN_TYPE="AZCLI" fails with "Tenant shouldn't be specified for managed identity account"

[ohads-MSFT]

Which version of the AzCopy was used?

10.26.0

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

# In an ACI container with an associated USer-Assigned identity
$env:AZCOPY_AUTO_LOGIN_TYPE = "AZCLI"
az login --identity
azcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"

What problem was encountered?

Failed to perform Auto-login: AzureCLICredential: ERROR: Tenant shouldn't be specified for managed identity account

How can we reproduce the problem in the simplest way?

Run the command as above

Have you found a mitigation/solution?

Switched to AZCOPY_AUTO_LOGIN_TYPE="MSI" (which then failed on something else, see #2792)

Output

INFO: Scanning...

Log file

2024/08/26 16:12:19 AzcopyVersion 10.26.0
2024/08/26 16:12:19 OS-Environment linux
2024/08/26 16:12:19 OS-Architecture amd64
2024/08/26 16:12:19 Log times are in UTC. Local time is 26 Aug 2024 16:12:19
2024/08/26 16:12:21 Closing Log
2024/08/26 16:12:18 AzcopyVersion 10.26.0
2024/08/26 16:12:18 OS-Environment linux
2024/08/26 16:12:18 OS-Architecture amd64
2024/08/26 16:12:18 Log times are in UTC. Local time is 26 Aug 2024 16:12:18
2024/08/26 16:12:19 ISO 8601 START TIME: to copy files that changed before or after this job started, use the parameter --include-before=2024-08-26T16:12:13Z or --include-after=2024-08-26T16:12:13Z

[vibhansa-msft]

Kindly share output of "azcopy env" as well.

[adreed-msft]

Just chiming in, this looks wrong:

# In an ACI container with an associated USer-Assigned identity
$env:AZCOPY_AUTO_LOGIN_TYPE = "AZCLI"
az login --identity
azcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"

--identity refers to MSI, but $env:AZCOPY_AUTO_LOGIN_TYPE is a completely different type of auth, and the latter here means azcopy login is unnecessary.

[ohads-MSFT]

Just chiming in, this looks wrong:

# In an ACI container with an associated USer-Assigned identity
$env:AZCOPY_AUTO_LOGIN_TYPE = "AZCLI"
az login --identity
azcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"

--identity refers to MSI, but $env:AZCOPY_AUTO_LOGIN_TYPE is a completely different type of auth, and the latter here means azcopy login is unnecessary.

That snippet is just a minimal repro, in my actual script I need az login for unrelated reasons. Then I set $env:AZCOPY_AUTO_LOGIN_TYPE = "AZCLI" so that azcopy can use the token acquired by az, rather than needlessly asking for another one.

[ohads-MSFT]

Kindly share output of "azcopy env" as well.

I already switched to MSI auth, I'll see if I get the time to revert and check, but may I suggest you add this requirement to the "new issue" template?