SqlAzureDacpacDeployment - Login failed for user '<token-identified principal>'. Token is expired
Using a dacpac deployment like so from Azure Devops pipeline.
- task: SqlAzureDacpacDeployment@1
inputs:
azureSubscription: 'subscription id'
AuthenticationType: 'servicePrincipal'
ServerName: 'server name value'
DatabaseName: 'db name value'
deployType: 'DacpacTask'
DeploymentAction: 'Publish'
DacpacFile: 'dacpac_file_name.dacpac'
AdditionalArguments: '/p:BlockOnPossibleDataLoss=false /p:VerifyDeployment=false /p:ignorePermissions=true'
It works fine, runs and does its thing but after about an hour the task errors out with message:
Login failed for user ''. Token is expired
This is a bit random, but it looks like I am getting these errors only during long running jobs. For anything shorter it works fine and there's no problem. Any advice?
It works fine, runs and does its thing but after about an hour the task errors out with message: Login failed for user ''. Token is expired
Unfortunately, To increase security and avoid data theft. By default the Azure AD application's Token Expiry is 1 hr. In order to use the Token again you need to refresh it by authenticating with the Azure SQL Server again.
Reference:- Configurable token lifetimes - Microsoft Entra | Microsoft Learn
As, An Alternative you can increase the Access token lifetime of your azure ad app to maximum 24 hours by running the Powershell command below:-
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy" $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'" Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Output:-
Make sure you Install AzureADPreview module in your Powershell for the AzureAD Policy to work.
Install-Module -Name AzureADPreview
Remove-Module AzureAD
Import-module AzureADPreview
As an alternative, You can use SQL Authentication or Azure AD Based authentication to avoid token expiry as you can still use your Azure DevOps service connection to authenticate with your AzureSQLdacpac Deployment task. Refer below:-
SQL Authentication:-
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
vmImage: windows-latest
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
- task: SqlAzureDacpacDeployment@1
inputs:
azureSubscription: 'AzureSQL987'
AuthenticationType: 'server'
ServerName: '<azuresqlserver>.database.windows.net, 1433'
DatabaseName: 'silicondb987'
SqlUsername: '<username>'
SqlPassword: '<password>'
deployType: 'DacpacTask'
DeploymentAction: 'Publish'
DacpacFile: '$(Build.SourcesDirectory)\silicondb987.dacpac'
IpDetectionMethod: 'IPAddressRange'
StartIpAddress: '0.0.0.0'
EndIpAddress: '255.255.255.255'
DeleteFirewallRule: false
Output:-
Or you can also use Azure AD Authentication by adding Azure AD User as Admin:-
trigger:
- main
pool:
vmImage: windows-latest
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
- task: SqlAzureDacpacDeployment@1
inputs:
azureSubscription: 'AzureSQL987'
AuthenticationType: 'aadAuthenticationPassword'
ServerName: 'siliconserver654.database.windows.net, 1433'
DatabaseName: 'silicondb987'
aadSqlUsername: '<azureaduser>.onmicrosoft.com'
aadSqlPassword: '<azureaduserpassword>'
deployType: 'DacpacTask'
DeploymentAction: 'Publish'
DacpacFile: '$(Build.SourcesDirectory)\silicondb987.dacpac'
IpDetectionMethod: 'IPAddressRange'
StartIpAddress: '0.0.0.0'
EndIpAddress: '255.255.255.255'
DeleteFirewallRule: false
Output:-
By using Username and password whether SQL authentication or Azure AD authentication, You won't get any limitations like token expiry. Or you need to generate new access token by authenticating again with your service principal.
Reference:-
Get-AzureADPolicy is not working under version Version 2.0.2.138 - Microsoft Q&A By Vasil Michev
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?