Use vscode authentication instead of Azure Account extension

[StephenWeatherford]

Fixes 14101

NOTE: I plan on not merging this until the current release ships, so we have some time to dogfood internally before the December release.

Fixes #14101

Microsoft Reviewers: Open in CodeFlow

• Check if documentation needs to change
  • https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-vscode
    • entered Documentation updates needed for authentication changes with deployment inside vscode #15450
  • Clouds
• Wait for multiple-account issue to be fixed (see below)?
  • Entered New auth code has bug that may need workaround if multiple accounts are signed in #15453
• Check Unable to authenticate to acr module registry with vs code (azure account) #8714
• Add to readme notes
  • UI changes below
  • Multiple F1 commands if Azure Account extension still installed
  • Multiple accounts issue if still a problem

Overview of UI changes (images from https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-vscode)

NEW: You never see this menu now. Instead, if you aren't logged in, you'll see something like this:

NEW: Bicep no longer uses the Azure Account extension (it's being deprecated). Instead, it uses new built-in vscode functionality that is integrated with vscode's UI, e.g.:

and also integrates with other extensions like the Azure Resources extension.

The statement that deployment doesn't use values from the bicepconfig.json is correct. Instead, if you need to sign in to a custom cloud, use this vscode setting before signing in:

Note: multiple signed-in accounts isn't currently supported (you may need to sign out of one first using the vscode UI above), although hopefully that will be fixed soon, perhaps even before this feature change ships.

[slavizh]

While this change is done is it possible to verify in advance that container registry access via Lighthouse permissions work with the new authentication mechanism. Basically fixing this #8714

[github-actions]

Test this change out locally with the following install scripts (Action run 11848453163)

VSCode

• Mac/Linux

  bash <(curl -Ls https://aka.ms/bicep/nightly-vsix.sh) --run-id 11848453163

• Windows

  iex "& { $(irm https://aka.ms/bicep/nightly-vsix.ps1) } -RunId 11848453163"

Azure CLI

• Mac/Linux

  bash <(curl -Ls https://aka.ms/bicep/nightly-cli.sh) --run-id 11848453163

• Windows

  iex "& { $(irm https://aka.ms/bicep/nightly-cli.ps1) } -RunId 11848453163"

[github-actions]

Dotnet Test Results

    78 files   -     39      78 suites   - 39   29m 24s ⏱️ - 14m 2s
11 414 tests  -     25  11 414 ✅  -     24  0 💤 ±0  0 ❌  - 1 
26 559 runs   - 13 275  26 559 ✅  - 13 274  0 💤 ±0  0 ❌  - 1 

Results for commit 7091480. ± Comparison against base commit 4b190e2.

This pull request removes 1841 and adds 630 tests. Note that renamed tests count towards both.

		nestedProp1: 1
		nestedProp2: 2
		prop1: true
		prop2: false
	1
	2
	\$'")
	prop1: true
	prop2: false
…

Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
�Ա
�0\u0010\u0006��>E�\u0001�%ͥ���"��\u0000�=�b��\u0015\u0002�\u001b\u0007q��X\u0015�7�\u000erI�#&K���
jZa\u0014d\u0013��
\u0002����\u001b�S&�;`�"\u001aƸ��$O���5a�O���T�]WV4�i"��JY\u0001\u0012l�v\u0014jy_MZ~t�vV�\u0005y�k\u000f����k��1�\u001e��\u001b�^�\u001f\u0012��\u001f \u0011%(D\u0006\u00061��$����3\u001f�j�G�;*\u0016T��\u0019O���[�|{�(��h8WI˭6\u0000\u000c\u0000\u0000,"Value cannot be null. (Parameter 'source')")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
�Խ
�0\u0010\u0000��>E�\u0003����T� 8X�*\u0008�\u0012l�
��V(�\uda58\udcf8���G0ߘ;�%�\u001dq��^':N��\u0008F�KPߨ!<���\u0001�D �(��s�\u0010�{��ţ�taJ\u0019�\u001f�\u0014�U�%\u0001�9\u0008�3�\u0013�\u0011P�f&v�ﺺ\u0004i\u001e'5����IϺҧ~���ӿ����S�!�\u0003�s��sD\u00057\u001b\u0001�Qf������q�
W��a\u00179\u000bl6��5Y�eY�{\u0001���m\u0000\u000c\u0000\u0000,"'7' is an invalid end of a number. Expected a delimiter. Path: $.INVALID_JSON | LineNumber: 0 | BytePositionInLine: 20.")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
��K\u000e�0\u0010\u0006�=\u0005'(3CKa�ޥWh��G(�G$1��aa��
����3�t����\u000e��\u001eʦ�)A\u0016K17`�R��\u00085
4/ �h��h�}\u0013���lë,q�\u000f�,�ݩ*\u000b4	��\u0013e\u0012�P��
���=���;\u0016�����乭�8PM
�}�������D��\u000f@\u0002�AN=�V��L��H&�<����\u001b\u0004A\u0010\u0004kx\u0002���?\u0000\u000c\u0000\u0000,"The path: index.json was not found in artifact contents")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003��K
�0\u0010\u0006�=EN��d��.�w�\u0015�\u0016|�T��\u0005��\u000b�E���\u0008�[f2̄��do�]a�E�\u0008"�%�-
<����#T�м\u0000\u0003��d�\u000f�o2�kZ[�U֘�����\\u00169\u001aB-3D\u0010�	$f\u001b_;�֐�l{�;wuU�ĥ���P�5�~h4����5�S�\u0001$�ԠR�/j��$��_%�����#�\u0006Q\u0014EQ\u0008OUЦ�\u0000\u000c\u0000\u0000,"The path: index.json was not found in artifact contents")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003��K
�0\u0010\u0006�=E�\u0001b&��\u0015ܻ\u0011�x�؎��*M��xwӅ�iqS\u001f`�ef`&�?l���\u0002m��cR�|���x�*�{�\u0001e\u0008�\u0007N���\u0010B��7�qq�6a�O��A"���+�����\u001c@�̈\u000cr5	�b�\u00069=[����\u0012[vp��k��ڿ}�h����7�U��T$�\u0001�5p��?�J���$����+M�5�g,<�K�6�$3��G��o�\u0016EQ\u0014��\u001d\u000f�\u001c�\u0000\u000c\u0000\u0000,"Value cannot be null. (Parameter 'source')")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003���
�@\u0010\u0007p�=��\u0003�;��b�!�\u0011\u0016\u0004]cI!\u0003-�@��\u001b\u000f�E�\u0016�����̲��z;ӬR��eE���G��1�K�y�\u0002��~a\u000e�Ja7i\u0006ߤý�M��L1�\u0007qML��i\u0008Z��\u0003\u0000F%h��\u000cK��\u0012\u0004�f�s�\u0015I��Ku-���w���_p�\u0019���8�_jP
��w�����O��?����b\u0013-���6v�\u0004��o�dY�e��	�7\u000c�\u0000\u000c\u0000\u0000,"'7' is an invalid end of a number. Expected a delimiter. Path: $.INVALID_JSON | LineNumber: 0 | BytePositionInLine: 20.")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Repository_not_found_in_registry (ArtifactRegistryAddress { RegistryAddress = mcr.microsoft.com, RepositoryPath = unknown/path/az, ExtensionVersion = 0.0.0-placeholder },Azure.RequestFailedException: The artifact does not exist in the registry.
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 138,[(BCP192, Error, Unable to restore the artifact with reference "br:mcr.microsoft.com/unknown/path/az:0.0.0-placeholder": The artifact does not exist in the registry.)])
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Repository_not_found_in_registry (ArtifactRegistryAddress { RegistryAddress = mcr.microsoft.com, RepositoryPath = unknown/path/az, ExtensionVersion = 0.0.0-placeholder },Azure.RequestFailedException: The artifact does not exist in the registry.
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 138,[(BCP192, Error, Unable to restore the artifact with reference "br:mcr.microsoft.com/unknown/path/az:0.0.0-placeholder": The artifact does not exist in the registry.)])
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Repository_not_found_in_registry (ArtifactRegistryAddress { RegistryAddress = unknown.registry.azurecr.io, RepositoryPath = bicep/extensions/az, ExtensionVersion = 0.0.0-placeholder },System.AggregateException: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443))
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.<>c__DisplayClass4_0.<<PullArtifactAsync>g__DownloadManifestInternalAsync|0>d.MoveNext() in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 44
--- End of stack trace from previous location ---
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, IOciArtifactReference artifactReference) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 51
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.<>c__DisplayClass4_0.<<PullArtifactAsync>g__DownloadManifestInternalAsync|0>d.MoveNext() in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 44
--- End of stack trace from previous location ---
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, IOciArtifactReference artifactReference) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/AzureContainerRegistryManager.cs:line 63
   at Bicep.Core.Registry.OciArtifactRegistry.TryRestoreArtifactAsync(RootConfiguration configuration, OciArtifactReference reference) in /home/runner/work/bicep/bicep/src/Bicep.Core/Registry/OciArtifactRegistry.cs:line 499,[(BCP192, Error, Unable to restore the artifact with reference "br:unknown.registry.azurecr.io/bicep/extensions/az:0.0.0-placeholder": Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)))])
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Repository_not_found_in_registry (ArtifactRegistryAddress { RegistryAddress = unknown.registry.azurecr.io, RepositoryPath = bicep/extensions/az, ExtensionVersion = 0.0.0-placeholder },System.AggregateException: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443))
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.<>c__DisplayClass4_0.<<PullArtifactAsync>g__DownloadManifestInternalAsync|0>d.MoveNext() in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 44
--- End of stack trace from previous location ---
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, IOciArtifactReference artifactReference) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 51
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 138
   at Bicep.Core.Registry.AzureContainerRegistryManager.<>c__DisplayClass4_0.<<PullArtifactAsync>g__DownloadManifestInternalAsync|0>d.MoveNext() in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 44
--- End of stack trace from previous location ---
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, IOciArtifactReference artifactReference) in D:\a\bicep\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 63
   at Bicep.Core.Registry.OciArtifactRegistry.TryRestoreArtifactAsync(RootConfiguration configuration, OciArtifactReference reference) in D:\a\bicep\bicep\src\Bicep.Core\Registry\OciArtifactRegistry.cs:line 499,[(BCP192, Error, Unable to restore the artifact with reference "br:unknown.registry.azurecr.io/bicep/extensions/az:0.0.0-placeholder": Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)) (No such host is known. (unknown.registry.azurecr.io:443)))])
…

♻️ This comment has been updated with latest results.

[StephenWeatherford]

See Conversation tab for the UI changes. NOTE: I've tested all deployment scopes with both the Deploy Bicep File... menu and also the deployment pane. I've also tested on ChinaCloud, but deployment pane doesn't currently succeed with sovereign clouds (#14834), not with my changes here. The wrong credentials are somehow getting used.

[anthony-c-martin]

While this change is done is it possible to verify in advance that container registry access via Lighthouse permissions work with the new authentication mechanism. Basically fixing this #8714

@slavizh in case you're interested in testing yourself, you can use the scripts in the above comment to preview the changes:

[slavizh]

@anthony-c-martin I have tried the build but still getting error although I think it is not caused by the build as I get the same error with the latest stable release as well. Error is pasted below. As far as I understand the error it cannot find any credentials (in my case from VisualStudioCode type) to authenticate. And this is the strange thing because I have authenticated multiple times, change directories (tenants), selected subscriptions and still getting the same error. If I have the time I will try to see if I first can successfully authenticate via VisualStudioCode by just having Azure RBAC access and than after I succeed I will try with using Lighthouse. I for sure remember that previously access via RBAC was working fine and even when I have chosen to use Lighthouse it was throwing some other authentication error not the credentials not found.

A side thing from this I have found this message:

"It's a known issue that VisualStudioCodeCredential doesn't work with Azure Account extension versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating with AzureCliCredential."
in
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet
which I do not know if it is true or not.

Unhandled exception: Azure.Identity.CredentialUnavailableException: Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot
 ---> System.InvalidOperationException: CredRead has failed but error is unknown.
   at Azure.Identity.WindowsNativeMethods.ThrowIfFailed(Boolean isSucceeded, String methodName)
   at Azure.Identity.WindowsNativeMethods.CredRead(String target, CRED_TYPE type)
   at Azure.Identity.WindowsVisualStudioCodeAdapter.GetCredentials(String serviceName, String accountName)
   at Azure.Identity.VisualStudioCodeCredential.GetStoredCredentials(String environmentName)
   --- End of inner exception stack trace ---
   at Azure.Identity.ChainedTokenCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ChainedTokenCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetRefreshTokenFromCredentialAsync(TokenRequestContext context, String service, Boolean async, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryChallengeAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRestClient.GetManifestAsync(String name, String reference, String accept, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryContentClient.GetManifestInternalAsync(String reference, Boolean async, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryContentClient.GetManifestAsync(String tagOrDigest, CancellationToken cancellationToken)
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAndLayersAsync(IOciArtifactReference artifactReference, ContainerRegistryContentClient client) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 135
   at Bicep.Core.Registry.AzureContainerRegistryManager.<>c__DisplayClass4_0.<<PullArtifactAsync>g__DownloadManifestInternalAsync|0>d.MoveNext() in C:\__w\1\s\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 43
--- End of stack trace from previous location ---
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, IOciArtifactReference artifactReference) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 62
   at Bicep.Core.Registry.OciArtifactRegistry.TryRestoreArtifactAsync(RootConfiguration configuration, OciArtifactReference reference) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\OciArtifactRegistry.cs:line 499bicep[BCP192](https://aka.ms/bicep/core-diagnostics#BCP192)

[StephenWeatherford]

@slavizh @anthony-c-martin @shenglol Yes, unfortunately this change will not affect #8714 at all, it only affects bicep file deployment in vscode, and not module restore, since module restore also has to work from commandline, outside of vscode.

"It's a Azure/azure-sdk-for-net#27263 that VisualStudioCodeCredential doesn't work with Azure Account extension versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating with AzureCliCredential."
in
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet
which I do not know if it is true or not.

Correct, that's what I was trying to explain here:

We don't own the code that implements the "VisualStudioCode" option in bicepconfig.json (which is used just for module restoration, and not deployment). When it is eventually fixed, I assume it will also use the same vscode authentication mechanism. (Right now it uses the Azure Account extension's stored credentials, although it doesn't work with newer extension verisions.). So, if Lighthouse is compatible with the Azure Resources extension, I expect eventually VisualStudioCode in bicepconfig.json will also, eventually (not under our control, nor vscode's, although vscode is working with them).

Presumably vscode's recent authentication API is part of that long-term fix, although I don't have any inside knowledge of that. So until this is fixed, @anthony-c-martin @shenglol it seems like we should at least put a warning in bicepconfig.json if it's used?

@slavizh You were able to determine that vscode supports Lighthouse, right (i.e.,. that it works in the Azure Resources extension)?

[slavizh]

@StephenWeatherford yes. Basically Lighthouse works by projecting subscriptions/resources into your tenant. Because I have a user that is from tenant1 and it is also guest on tenant2. The subscriptions are in tenant2 so I have access to the subscriptions if I see them as logged to tenant2 and as logged to tenant1 (via Lighthouse). In the azure resources extensions I was able to see the same subscriptions twice. Thus my assumption that it works because I see the subscription once as I am getting access via tenant2 and second time via Lighthouse with tenant1. I hope that explains it if you are not completely familiar with Lighthouse.

One thing that is not clear from the documentation is what are the requirements for the Visual Studio code option and the steps to logon properly. My assumption is that it uses Azure Account extension and based on where you are logged there it takes those credentials. If that is the case might be good to add requirements and small how to guide or link to Azure extension if it has documentation on logging.

I will still try to test if VSC option works via normal Azure RBAC as the mentioned version of Azure Account extension is 3 years old and I remember the VSC option working at least for RBAC at most one year ago.

[slavizh]

I have tested just by using Azure RBAC but couldn't make it work. Getting the same error always. I even tried installing 0.9.10 version of Azure Account extension and still it is the same. I even tried enabling MSAL settings in VSC

and still the same error. Now I wonder if this was ever working or I am doing something completely wrong.

My main steps are:

1. set VisualStudioCode in bicepconfig.
2. F1: Azure: Sign in (azure-account.login).
3. F1: Restore bicep module

Sign out was performed when I changed some setting to make sure all was from clear start.

As soon as I use CLI or PS options it works.

[StephenWeatherford]

@alexweininger @slavizh @shenglol I tried with Azure Account 0.9.10 and got the same result - I logged in using "Azure: Sign In" and could see subscriptions listed via "Azure: Select Subscriptions", but still bicep fails on module restore with CredentialUnavailableException, suggesting I need to log in. I also note that if I reload the window and try "Azure: Selection Subscriptions" again, no subscriptions show, indicating the Azure Account extension is not able to store its credentials properly.

I.e., it appears VisualStudioCodeCredential no longer works at all with newer versions of vscode, even if using old versions of Azure Account Extension. Sorry for the inconveience. We'll discuss changing our docs at the very least until VisualStudioCodeCredential is fixed.

TL;DR

I believe this is what is happening... The old Azure Account extension used to use keytar to store credentials. I believe that info to be sharable with other extensions, it had to use the keytar installed with vscode, so it dynamically loaded it from vscode's node_modules\keytar folder (see https://github.com/microsoft/vscode-azure-account/blob/c465c17c86c9ffeb1543a3e5372993eb0a56de0e/src/utils/keytar.ts). In 0.9.12, they removed this code, but VisualStudioCodeCredential was looking for the credentials from vscode using keytar, so it worked with versions <= 0.9.11. Sometime later, vscode stopped shipping with keytar (probably when adding the authentication API), so now 0.9.11 can no longer store its credentials and VisualStudioCodeCredential can no longer find it.

[alexweininger]

What Stephen explained is accurate to my knowledge (from the Azure Account side of things)

[slavizh]

I am glad that we now have clear indication about the root cause of the issue.

[shenglol]