19 October, 2022

Terraform ERROR: Continuous access evaluation

This morning I was getting the following error trying to run Terraform:

╷
│ Error: building account: getting authenticated object ID: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Continuous access evaluation resulted in claims challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
│    with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 26, in provider "azurerm":
│   26: provider "azurerm" { 

Turns out, this was because Continuous Access Evaluation had been enabled on my tenancy, as a result of enabling the Authentication Strengths private preview.

You can check if CAE is enabled by looking at your JWT: if you run az account get-access-token | jq .accessToken | cut -d '.' -f 2 | base64 -d | jq .xms_cc and see CP1, you've got CAE enabled.

This was on a remote server, and I was used to using az login --use-device-code instead of port forwarding. But it looks like Device Code flow is not supported with CAE. If you run a request interactively, like:

$ az rest --method GET --url https://graph.microsoft.com/beta/${tenancyId}/applications/${applicationId}
Unauthorized({"error":{"code":"InvalidAuthenticationToken","message":"Continuous access evaluation resulted in claims challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied","innerError":{"date":"2022-10-18T20:58:10","request-id":"eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee","client-request-id":"eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee"}}})
Interactive authentication is needed. Please run:
az logout
az login

As the azure-cli hints, the fix is to simply use az login with a port forward, instead of Device Code flow.

Tagged: