Self Hosted Azure DevOps Pipeline Agent fails with error Token Audience is not valid

0
votes

I have created a new token with Agent Pool read and manage permissions. I have created a new agent pool lnx_agent wherein I have administrator role to manage it. When I download tar file of agent linux x64 from this link https://vstsagentpackage-azureedge-net.o365.example-domain.defendernet.com/agent/2.171.1/vsts-agent-linux-x64-2.171.1.tar.gz, copy it to bastion host, unpack it and execute ./config.sh with URL, PAT token, agent pool as lnx_agent and default agent name as bastion_agent; I have below error message.

[2020-06-28 20:24:35Z ERR  VisualStudioServices] POST request to https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token failed. HTTP Status: BadRequest, AFD Ref: Ref A: C7A934103EDF47B2B3E6F148516B35B5 Ref B: DB3EDGE1015 Ref C: 2020-06-28T20:24:35Z
[2020-06-28 20:24:35Z INFO VisualStudioServices] AAD Correlation ID for this token request: Unknown
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z INFO VisualStudioServices] Finished operation Location.GetConnectionData
[2020-06-28 20:24:35Z ERR  Agent] Microsoft.VisualStudio.Services.OAuth.VssOAuthTokenRequestException: The token audience is not valid https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token. Comparing to https://vssps-dev-azure-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token; https://app-vssps-visualstudio-com.o365.example-domain.defendernet.com/Example-Client/_apis/oauth2/token.

Example-Client is my project and example-domain is my company name. What does this mean AAD Correlation ID for this token request: Unknown?

Since my AKS cluster is private, all three options to connect to it from Azure release pipeline like kubeconfig, service account and subscription fail. So, if I could configure self hosted agent in bastion host whose virtual network is peered with virtual network of private AKS cluster then I can successfully automate CD pipeline by running agent in this bastion host.

 az devops login --organization https://dev-azure-com.o365.example-domain.defendernet.com/Example-Client
Token:
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.
2
azureazure-devopsazure-aks
Can you access your Azure DevOps organization directly from this bastion host?Andy Li-MSFT
Yes, I have updated quesiton with command az devops login execution @AndyLi-MSFTPrakashsinha Bayas
It appears that you cannot access the Azure DevOps organization. Can you login successfully via browser with user name and password? I mean access the ADO directly in browser.Andy Li-MSFT
I can access the Azure DevOps organization. I am not account owner as in my free credit account. However, I am a user in one of the subscriptions and active directory too.Prakashsinha Bayas
Could you please confirm your Azure DevOps organization URL? Generally, the URL should be something like this: https://dev.azure.com/{organization} or https://{organization}visualstudio.com/. But according to your description, it seems your URL is https://dev-azure-com.o365.example-domain.defendernet.com/Example-Client. We have never seen such an Azure DevOps URL.Andy Li-MSFT

2 Answers

2
votes

Firstly, please make sure you can access the Azure DevOps organization (https://dev.azure.com/{organization}) from the bastion host. Otherwise we cannot connect to the Azure DevOps services.

Secondly, please check if you are running a firewall or a proxy on the bastion host. If you're running an agent in a secure network behind a firewall, make sure the agent can initiate communication with the URLs and IP addresses mentioned in below documents.