Using --azure-credential with service principal to publish raises an ERROR You need to be logged in with your corporate credentials to perform this action.

[trevors20]

Hi there. I am trying out the new changes to vsce to use a federated service connection to publish to the marketplace and use the --azure-credential switch.

It looks like I am using version 2.31.0 of the vsce toolset.

I first validated using the verify-pat command that using the federated service connection is working:
vsce verify-pat [publishid] --azure-credential
The Personal Access Token verification succeeded for the publisher '[publishid]'.

But.... When I actually try to publish some vsix's for real, I get the following error:
vsce publish --azure-credential --pre-release --packagePath package1.vsix package2.vsix package3.vsix package4.vsix

INFO Publishing '[publishid].package1 v1.0.0'...
ERROR You need to be logged in with your corporate credentials to perform this action.

Does anyone have any ideas as to what is preventing me from publishing to the marketplace using an SP?
Thanks much!

CC: @lszomoru

[lszomoru]

What task/version are you using to run vsce? It's interesting that verify-pat succeeds but publishing does not.
Could you add the following line before calling vsce just so that we confirm that we are using the correct identity:

az rest -u https://app.vssps.visualstudio.com/_apis/profile/profiles/me --resource 499b84ac-1321-427f-aa17-267ca6975798

[trevors20]

Looks like vsce did not spit out the version. At the time, it should have been the latest version.
Let me add a call to vsce to show the version that we are using as well as the call to "az rest" and respond back with the information. We might not be able to attempt his until tomorrow.

[trevors20]

@lszomoru , We finally had a release and so we tried it with the additional logging.
Not sure if you are able to see this link or not but this is the output of the logs: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=10016488&view=logs&j=3c073bee-8c2e-5620-5ea2-f936c289b2ff&t=2cfe0b00-f61a-5101-2dd5-b2cfdfc8b2c7

[trevors20]

Also posting the logging here:
2024-08-08T16:23:32.8994124Z ##[section]Starting: 📦 Publish to Marketplace
2024-08-08T16:23:32.8998981Z ==============================================================================
2024-08-08T16:23:32.8999468Z Task : Azure CLI
2024-08-08T16:23:32.8999534Z Description : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
2024-08-08T16:23:32.8999681Z Version : 2.242.0
2024-08-08T16:23:32.8999725Z Author : Microsoft Corporation
2024-08-08T16:23:32.8999780Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
2024-08-08T16:23:32.8999885Z ==============================================================================
2024-08-08T16:23:33.1697555Z [command]/usr/bin/az --version
2024-08-08T16:23:41.5123875Z azure-cli 2.63.0
2024-08-08T16:23:41.5124585Z
2024-08-08T16:23:41.5125415Z core 2.63.0
2024-08-08T16:23:41.5125998Z telemetry 1.1.0
2024-08-08T16:23:41.5126446Z
2024-08-08T16:23:41.5127770Z Extensions:
2024-08-08T16:23:41.5128386Z azure-devops 1.0.1
2024-08-08T16:23:41.5128732Z
2024-08-08T16:23:41.5129194Z Dependencies:
2024-08-08T16:23:41.5129752Z msal 1.30.0
2024-08-08T16:23:41.5131716Z azure-mgmt-resource 23.1.1
2024-08-08T16:23:41.5132235Z
2024-08-08T16:23:41.5133079Z Python location '/opt/az/bin/python3'
2024-08-08T16:23:41.5133857Z Extensions directory '/opt/az/azcliextensions'
2024-08-08T16:23:41.5134409Z
2024-08-08T16:23:41.5135066Z Python (Linux) 3.11.8 (main, Jul 31 2024, 03:40:01) [GCC 9.4.0]
2024-08-08T16:23:41.5135540Z
2024-08-08T16:23:41.5136075Z Legal docs and information: aka.ms/AzureCliLegal
2024-08-08T16:23:41.5136411Z
2024-08-08T16:23:41.5136681Z
2024-08-08T16:23:41.5137263Z Your CLI is up-to-date.
2024-08-08T16:23:41.5139824Z Setting AZURE_CONFIG_DIR env variable to: /mnt/vss/_work/_temp/.azclitask
2024-08-08T16:23:41.5204693Z Setting active cloud to: AzureCloud
2024-08-08T16:23:41.5209046Z [command]/usr/bin/az cloud set -n AzureCloud
2024-08-08T16:24:06.7328546Z [command]/usr/bin/az login --service-principal -u *** --tenant 72f988bf-NNNN-NNNN-NNNN-NNNNNNNNNNNN --allow-no-subscriptions --federated-token ***
2024-08-08T16:24:07.6391688Z [
2024-08-08T16:24:07.6395438Z {
2024-08-08T16:24:07.6395641Z "cloudName": "AzureCloud",
2024-08-08T16:24:07.6399061Z "homeTenantId": "72f988bf-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:07.6399490Z "id": "bd62906c-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:07.6399730Z "isDefault": true,
2024-08-08T16:24:07.6399944Z "managedByTenants": [],
2024-08-08T16:24:07.6400149Z "name": "DevDiv Key Vault",
2024-08-08T16:24:07.6400352Z "state": "Enabled",
2024-08-08T16:24:07.6400695Z "tenantId": "72f988bf-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:07.6400914Z "user": {
2024-08-08T16:24:07.6401326Z "name": "***",
2024-08-08T16:24:07.6401555Z "type": "servicePrincipal"
2024-08-08T16:24:07.6401746Z }
2024-08-08T16:24:07.6401887Z }
2024-08-08T16:24:07.6402035Z ]
2024-08-08T16:24:07.6406805Z [command]/usr/bin/az account set --subscription bd62906c-NNNN-NNNN-NNNN-NNNNNNNNNNNN
2024-08-08T16:24:08.0900903Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/mnt/vss/_work/_temp/azureclitaskscript1723134213162.ps1'
2024-08-08T16:24:08.8160288Z 2.31.1
2024-08-08T16:24:09.6402718Z {
2024-08-08T16:24:09.6404655Z "coreRevision": 454190310,
2024-08-08T16:24:09.6406094Z "displayName": "72f988bf-NNNN-NNNN-NNNN-NNNNNNNNNNNN\c57d5b84-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:09.6408656Z "emailAddress": "",
2024-08-08T16:24:09.6409017Z "id": "30f63012-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:09.6409395Z "publicAlias": "30f63012-NNNN-NNNN-NNNN-NNNNNNNNNNNN",
2024-08-08T16:24:09.6409592Z "revision": 454190310,
2024-08-08T16:24:09.6409935Z "timeStamp": "2024-05-23T19:58:30.6866667+00:00"
2024-08-08T16:24:09.6410394Z }
2024-08-08T16:24:10.2586266Z Shipping branch: refs/heads/prerelease
2024-08-08T16:24:10.3489713Z ##[command]vsce publish --azure-credential --pre-release --packagePath csdevkit-win32-x64-1.10.4.vsix csdevkit-win32-arm64-1.10.4.vsix csdevkit-linux-x64-1.10.4.vsix csdevkit-linux-arm64-1.10.4.vsix csdevkit-darwin-x64-1.10.4.vsix csdevkit-darwin-arm64-1.10.4.vsix csdevkit-alpine-x64-1.10.4.vsix csdevkit-alpine-arm64-1.10.4.vsix
2024-08-08T16:24:11.0401831Z azure:identity:info EnvironmentCredential => Found the following environment variables: AZURE_CLIENT_ID
2024-08-08T16:24:11.0413127Z azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
2024-08-08T16:24:11.0452627Z azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
2024-08-08T16:24:11.0474781Z azure:identity:info AzureCliCredential => getToken() => Using the scope 499b84ac-1321-427f-aa17-267ca6975798/.default
2024-08-08T16:24:11.7152525Z azure:identity:info AzureCliCredential => getToken() => expires_on is available and is valid, using it
2024-08-08T16:24:11.7156893Z azure:identity:info AzureCliCredential => getToken() => SUCCESS. Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default.
2024-08-08T16:24:11.7198449Z azure:identity:info ChainedTokenCredential => getToken() => Result for AzureCliCredential: SUCCESS. Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default.
2024-08-08T16:24:11.7199024Z INFO Publishing 'ms-dotnettools.csdevkit (win32-x64) v1.10.4'...
2024-08-08T16:24:13.0572966Z ERROR You need to be logged in with your Microsoft corporate credentials to perform this action.
2024-08-08T16:24:13.1566392Z
2024-08-08T16:24:13.1685633Z ##[error]Script failed with exit code: 1
2024-08-08T16:24:13.1825732Z [command]/usr/bin/az account clear
2024-08-08T16:24:13.9408940Z ##[section]Finishing: 📦 Publish to Marketplace