azure.azcollection azure_rm.yml inventory plugin failing to use az login credentials in execution environment

Archives Ansible Project
, ,
1

Hi all,

I was looking for some help debugging an unusual issue I’m seeing with azure.azcollection and the azure-cli in an Ansible execution environment.

TL;DR, if I manually build a container, pip install ansible-core, ansible-galaxy install the azure.azcollection, then pip install its requirements, install azure-cli, setup a dynamic inventory plugin, az login and then run ansible-inventory, everything works.

If I use ansible-builder to accomplish the same end result, ansible-inventory fails with the following stack trace:

[root@3209917451f4 runner]# ansible-inventory -i inventory/azure_rm.yml --graph
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with auto plugin: Failed to get credentials. Either pass as parameters, set environment variables, define a profile in ~/.azure/credentials, or install Azure CLI and log in (az login).
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with ini plugin: Invalid host pattern ‘plugin:’ supplied, ending in ‘:’ is not allowed, this character is reserved to provide a port.
[WARNING]: Unable to parse /runner/inventory/azure_rm.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
@all:

@ungrouped:
[root@3209917451f4 runner]# ansible-inventory -vvv -i inventory/azure_rm.yml --graph
ansible-inventory [core 2.15.2]
config file = /runner/project/ansible.cfg
configured module search path = [‘/root/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-inventory
python version = 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
Using /runner/project/ansible.cfg as config file
Using inventory plugin ‘ansible_collections.azure.azcollection.plugins.inventory.azure_rm’ to process inventory source ‘/runner/inventory/azure_rm.yml’
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with auto plugin: Failed to get credentials. Either pass as parameters, set environment variables, define a profile in ~/.azure/credentials, or install Azure CLI and log in (az login).
File “/usr/local/lib/python3.11/site-packages/ansible/inventory/manager.py”, line 293, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File “/usr/local/lib/python3.11/site-packages/ansible/plugins/inventory/auto.py”, line 59, in parse
plugin.parse(inventory, loader, path, cache=cache)
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py”, line 221, in parse
self._credential_setup()
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py”, line 242, in _credential_setup
self.azure_auth = AzureRMAuth(**auth_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1514, in init
self.fail("Failed to get credentials. Either pass as parameters, set environment variables, "
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1640, in fail
self._fail_impl(msg)
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1643, in _default_fail_impl
raise AzureRMAuthException(msg)
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with ini plugin: Invalid host pattern ‘plugin:’ supplied, ending in ‘:’ is not allowed, this character is reserved to provide a port.
File “/usr/local/lib/python3.11/site-packages/ansible/inventory/manager.py”, line 293, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File “/usr/local/lib/python3.11/site-packages/ansible/plugins/inventory/ini.py”, line 137, in parse
raise AnsibleParserError(e)
[WARNING]: Unable to parse /runner/inventory/azure_rm.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
@all:
@ungrouped:

This is in a running instance of the ansible-builder built container, az login has successfully run, I can az account show/az vm list and see the subscription, tennant ID, resources etc.

I’ve done all the usual Googling and as much RTFMing as I can but haven’t found anything that would explain the difference in behaviour. More debug info below from the non-working ansible-builder container in case it helps. The behaviour persists whether podman or docker is used for the build. The only thing that seems obviously different between the two scenarios is that ansible-builder is building the EE with dumb-init?

Any suggestions are greatly appreciated.

Cheers,

Will.

2

Oh, and one more potentially useful data point, if I switch auth_source to explicitly ‘cli’ in the inventory plugin config I see the following:

[root@3209917451f4 runner]# cat inventory/azure_rm.yml
plugin: azure.azcollection.azure_rm
auth_source: cli
[root@3209917451f4 runner]# ansible-inventory -vvv -i inventory/azure_rm.yml --graph
ansible-inventory [core 2.15.2]
config file = /runner/project/ansible.cfg
configured module search path = [‘/root/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-inventory
python version = 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
Using /runner/project/ansible.cfg as config file
Using inventory plugin ‘ansible_collections.azure.azcollection.plugins.inventory.azure_rm’ to process inventory source ‘/runner/inventory/azure_rm.yml’
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with auto plugin: Failed to import the required Python library (azure-cli) on 3209917451f4’s Python /usr/bin/python3. This is required for cli auth_source. Please read the module documentation and install it in the
appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter
File “/usr/local/lib/python3.11/site-packages/ansible/inventory/manager.py”, line 293, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File “/usr/local/lib/python3.11/site-packages/ansible/plugins/inventory/auto.py”, line 59, in parse
plugin.parse(inventory, loader, path, cache=cache)
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py”, line 221, in parse
self._credential_setup()
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/inventory/azure_rm.py”, line 242, in _credential_setup
self.azure_auth = AzureRMAuth(**auth_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1493, in init
self.credentials = self._get_credentials(
^^^^^^^^^^^^^^^^^^^^^^
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1759, in _get_credentials
self.fail(msg=missing_required_lib(‘azure-cli’, reason=‘for cli auth_source’),
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1640, in fail
self._fail_impl(msg)
File “/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py”, line 1643, in _default_fail_impl
raise AzureRMAuthException(msg)
[WARNING]: * Failed to parse /runner/inventory/azure_rm.yml with ini plugin: Invalid host pattern ‘plugin:’ supplied, ending in ‘:’ is not allowed, this character is reserved to provide a port.
File “/usr/local/lib/python3.11/site-packages/ansible/inventory/manager.py”, line 293, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File “/usr/local/lib/python3.11/site-packages/ansible/plugins/inventory/ini.py”, line 137, in parse
raise AnsibleParserError(e)
[WARNING]: Unable to parse /runner/inventory/azure_rm.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
@all:

@ungrouped:

If I run python3 in the container, I can successfully import azure.core.cli modules:

[root@3209917451f4 runner]# python3
Python 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)] on linux
Type “help”, “copyright”, “credits” or “license” for more information.

import azure.cli.core
dir(azure.cli.core)
[‘ALWAYS_LOADED_EXTENSIONS’, ‘ALWAYS_LOADED_MODULES’, ‘ARGCOMPLETE_ENV_NAME’, ‘ArgumentsContext’, ‘AzCLILocalContext’, ‘AzCli’, ‘AzCommandsLoader’, ‘CLI’, ‘CLICommandsLoader’, ‘CLIError’, ‘CaseInsensitiveList’, ‘CommandIndex’, ‘EVENT_FAILED_EXTENSION_LOAD’, ‘EXCLUDED_PARAMS’, ‘ExperimentalItem’, ‘LocalContextAction’, ‘MainCommandsLoader’, ‘ModExtensionSuppress’, ‘PreviewItem’, ‘builtins’, ‘cached’, ‘doc’, ‘file’, ‘loader’, ‘name’, ‘package’, ‘path’, ‘spec’, ‘version’, ‘_configure_knack’, ‘extract_args_from_signature’, ‘extract_full_summary_from_signature’, ‘get_default_cli’, ‘get_logger’, ‘local_context’, ‘logger’, ‘os’, ‘sys’, ‘timeit’]
dir(azure.cli.core.AzCli)
[‘class’, ‘delattr’, ‘dict’, ‘dir’, ‘doc’, ‘eq’, ‘format’, ‘ge’, ‘getattribute’, ‘getstate’, ‘gt’, ‘hash’, ‘init’, ‘init_subclass’, ‘le’, ‘lt’, ‘module’, ‘ne’, ‘new’, ‘reduce’, ‘reduce_ex’, ‘repr’, ‘setattr’, ‘sizeof’, ‘str’, ‘subclasshook’, ‘weakref’, ‘_configure_style’, ‘_print_init_log’, ‘_should_enable_color’, ‘_should_show_version’, ‘exception_handler’, ‘get_cli_version’, ‘get_progress_controller’, ‘get_runtime_version’, ‘invoke’, ‘raise_event’, ‘refresh_request_id’, ‘register_event’, ‘save_local_context’, ‘show_version’, ‘unregister_event’]

3

Just in case it’s of any use to someone Googling or trawling the archives, switching from prepend_final to append_final in additional_build_steps in the EE definition seems to resolve /whatever/ the issue is:

https://github.com/wmcdonald404/ee-sandbox/blob/main/.github/workflows/ee-deploy.yml#L83

additional_build_steps:
append_final: |
RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc
RUN dnf install -y https://packages.microsoft.com/config/fedora/38/packages-microsoft-prod.rpm
RUN dnf -y install azure-cli

It seems like the azure-cli RPM-based install pulls in all its packaged dependencies correctly and shoves them into /usr/lib//site-packages.

And the pip install ansible-builder calls populates /usr/local/lib//site-packages.

So I’m not sure quite what’s happening in the sequencing of package/build that would be significantly different but switching prepend to append seems to do the trick.