AZ CLI Issue - Github Actions Self hosted runner

Question

I get the error shown in screenshot below while trying to fetch Azure key vault secrets using Azure CLI from github actions. The error says Please run 'az login' to setup account.

As one can see, the AZ login was successful in the previous step. Based on the suggestion here, I have installed Azure CLI - eventhough the output says Azure CLI is already up to date in the self hosted runner.

What can be done to overcome this issue?

yml snippet

- name: Install Azure CLI
    run: |
      sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg
      curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | 
      sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
      AZ_REPO=$(lsb_release -cs)
      echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO 
      main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
      sudo apt-get update
      sudo apt-get install azure-cli
      
  - name: Login to Azure
    uses: azure/login@v1
    with:
       client-id: ${{ secrets.AZURE_CLIENT_ID }}
       tenant-id: ${{ secrets.AZURE_TENANT_ID }}
       subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  - uses: azure/CLI@v1
    with: 
      inlineScript: |
        value1=$(az keyvault secret show --name $AZURE_SECRET_NAME --vault-name $AZURE_KEYVAULT_NAME --query value -o tsv)
        echo $value1
        value2=$(az keyvault secret show --name $AZURE_SECRET_NAME --vault-name $AZURE_KEYVAULT_NAME --query value)
        echo $value2
        #echo "::add-mask::$value"
        #printf "%s\n" $value >> GITHUB_OUTPUT
        echo "${value2//\"}" >> GITHUB_OUTPUT

Answer 1

I ran the below Github workflow and got the Key vault secrets successfully after successful login by installing Azure CLI, Refer below:-

My github workflow:-

My complete github workflow Link

Referred Install Azure CLI commands from this MS Document and az key vault secret show command from here

name: Azure Key Vault Secrets

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Install Azure CLI
      run: |
        sudo apt-get update
        sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg
        sudo mkdir -p /etc/apt/keyrings
        curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
            gpg --dearmor |
            sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null
        sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
        AZ_REPO=$(lsb_release -cs)
        echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |
        sudo tee /etc/apt/sources.list.d/azure-cli.list
        sudo apt-get update
        sudo apt-get install azure-cli

    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Authenticate Azure CLI
      run: az login

    - uses: azure/CLI@v1
      with: 
        inlineScript: |
          value1=$(az keyvault secret show --name keyvaultsecret --vault-name siliconkeyvault12 --query value -o tsv)
          echo $value1
          value2=$(az keyvault secret show --name keyvaultsecret --vault-name siliconkeyvault12 --query value)
          echo $value2
          #echo "::add-mask::$value"
          #printf "%s\n" $value >> GITHUB_OUTPUT
          echo "${value2//\"}" >> GITHUB_OUTPUT 

Output:-

In Authenticate Azure CLI step it asked me to authenticate with the URL which I authenticated with my Azure account having proper role assigned on Key vault to access secret refer below:-

Key vault secret value got printed successfully like below:-

Portal:-

Key vault IAM to my user account:-

Key vault Secret:-

My Access policy is set to IAM in my Key vault.