Error: TF401444 when trying to push a template onto Azure Devops | Backstage | Page 1

worn owl Sep 24, 2024, 6:08 PM

#

Hi I'm setting up Azure integration on Backstage for our org, and we're using a service principal for the azure integration in app-config.yaml. When I try to push a software template to Azure Devops, it fails at the Publish step with the following error:

Error: TF401444: Please sign-in at least once as <OUR_TENANT_ID>in a web browser to enable access to the service.

Although publishing works with when using a PAT, but we'd like to use the service principal

pliant estuary Sep 24, 2024, 6:20 PM

#

Did you try what it suggests? I.e. sign in at least once in a web browser.

worn owl Sep 24, 2024, 6:22 PM

#

this is a service principal though, not a user. i don't think you can sign in to an application through the UI

#

i tried logging in through the azure cli using the SP credentials but still no luck

pliant estuary Sep 24, 2024, 6:26 PM

#

So you cannot sign in with the service principal using the azure cli either?

#

Does it give the same error?

worn owl Sep 24, 2024, 6:27 PM

#

im able to sign in using the CLI

#

but that doesn't fix the error

pliant estuary Sep 24, 2024, 6:59 PM

#

Ok hrrmm.

spice arrow Sep 25, 2024, 6:23 AM

#

There was a fix for managed identity in the latest release, this was the issue: https://github.com/backstage/backstage/issues/26368. not sure if the same would have helped here with service principal.

#

What version of Backstage are you on?

worn owl Sep 25, 2024, 5:26 PM

#

spice arrow What version of Backstage are you on?

1.31.1

spice arrow Sep 27, 2024, 11:19 AM

#

Ah, ok, can you log an issue for this then? I don't have a solution and that would allow us to get some of the other Azure DevOps users involved 👍

narrow stratus Sep 28, 2024, 1:57 PM

#

Is the managed identity listed as a member of your org at https://dev.azure.com/ORG/_settings/users ? If not you may need to add them. (If you do add them.

If adding the user doesn't seem to work, make sure you have spare licences, and also make sure you did not tick Send email invites (to Users only) when you added the user.

If your user does show up in that list but you still can't log in, you're likely lookign at either some form of consent being needed, or some kind of conditional access policies applied by your tenant administrator.

worn owl Oct 4, 2024, 2:07 PM

#

narrow stratus Is the managed identity listed as a member of your org at https://dev.azure.com/...

we've tried adding the MI to the org and have given it admin perms for a particular project. now i'm getting this:

CredentialUnavailableError: ManagedIdentityCredential: Authentication failed. Message ManagedIdentityCredential: The managed identity endpoint is not available.

when trying to read a repo under said project

narrow stratus Oct 4, 2024, 2:08 PM

#

What azure service are you running on? AKS, Container Apps, App Service etc.

#Error: TF401444 when trying to push a template onto Azure Devops