az network bastion ssh command fails

[gdebezpredel]

Describe the bug

I'm trying to set up Bastion with AAD based login following this guides: 1, 2. After setting everything up the command fails. And the error is different depending on whether I use Azure Cloud Shell or local Azure CLI.

Related command

az network bastion ssh --name $name --resource-group $rg --target-resource-id /subscriptions/$sub/resourceGroups/$sub/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss/virtualMachines/0 --auth-type AAD

Errors

Azure Cloud Shell:

(AuthorizationFailed) The client '' with object id '' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/host' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '' with object id '' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/host' or the scope is invalid. If access was recently granted, please refresh your credentials.

Azure CLI:

The command failed with an unexpected error. Here is the traceback:
[Errno 49] Can't assign requested address
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 664, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 729, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 698, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 334, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 166, in ssh_bastion_host
    tunnel_server = _get_tunnel(cmd, bastion, bastion_endpoint, target_resource_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 358, in _get_tunnel
    tunnel_server = TunnelServer(cmd.cli_ctx, "localhost", port, bastion, bastion_endpoint, vm_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 62, in __init__
    self.sock.bind((self.local_addr, self.local_port))
OSError: [Errno 49] Can't assign requested address

I checked my access and I have Contributor role which definitely has Microsoft.Network/bastionHosts/read permission

Issue script & Debug output

Azure CLI:

cli.knack.cli: Command arguments: ['network', 'bastion', 'ssh', '--name', 'name', '--resource-group', 'rg', '--target-resource-id', '/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss/virtualMachines/0', '--auth-type', 'AAD', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x104fc5260>, <function OutputProducer.on_global_arguments at 0x1050a0400>, <function CLIQuery.on_global_arguments at 0x1050ca0c0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_bastion']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: network                   0.667       115       355
cli.azure.cli.core: privatedns                0.017        14        60
cli.azure.cli.core: Total (2)                 0.685       129       415
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: bastion                   0.011         2         9  /Users/user/.azure/cliextensions/bastion
cli.azure.cli.core: Total (1)                 0.011         2         9  
cli.azure.cli.core: Loaded 129 groups, 424 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : network bastion ssh
cli.azure.cli.core: Command table: network bastion ssh
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x105dc6a20>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/user/.azure/commands/2024-02-08.11-38-09.network_bastion_ssh.30048.log'.
az_command_data_logger: command args: network bastion ssh --name {} --resource-group {} --target-resource-id {} --auth-type {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x105e15760>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x105e176a0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x105e177e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x1050a04a0>, <function CLIQuery.handle_query_parameter at 0x1050ca160>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x105e17740>]
az_command_data_logger: extension name: bastion
az_command_data_logger: extension version: 0.3.0
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/user/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/user/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/3e04753a-.../oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/.../discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/.../v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/.../kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********....', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: f7af70ce-c912-44f1-8730-6e25b9099ad5
msal.application: Cache attempts an RT
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /.../oauth2/v2.0/token HTTP/1.1" 200 12133
msal.token_cache: event={
    "client_id": "04b07795-...",
    "data": {
        "claims": "{\"access_token\": {\"xms_cc\": {\"values\": [\"CP1\"]}}}",
        "refresh_token": "********",
        "scope": [
            "https://management.core.windows.net//.default",
            "offline_access",
            "profile",
            "openid"
        ]
    },
    "environment": "login.microsoftonline.com",
    "grant_type": "refresh_token",
    "params": null,
    "response": {
        "access_token": "********",
        "client_info": "eyJ1aWQiOiI1...",
        "expires_in": 5196,
        "ext_expires_in": 5196,
        "foci": "1",
        "id_token": "********",
        "scope": "https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default",
        "token_type": "Bearer"
    },
    "scope": [
        "https://management.core.windows.net//user_impersonation",
        "https://management.core.windows.net//.default"
    ],
    "skip_account_creation": true,
    "token_endpoint": "https://login.microsoftonline.com/3e04753a-.../oauth2/v2.0/token"
}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'd291d2c8-c6a8-11ee-ac26-acde48001122'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network bastion ssh'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --resource-group --target-resource-id --auth-type --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.57.0 (HOMEBREW) (AAZ) azsdk-python-core/1.28.0 Python/3.11.7 (macOS-13.6-x86_64-i386-64bit)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name?api-version=2022-01-01 HTTP/1.1" 200 1719
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '1719'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'ETag': 'W/"..."'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '8e557318-7205-4d1c-a790-902ac2145f13'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'd906b2f5-d1a8-48e6-a143-9209c39e1606'
cli.azure.cli.core.sdk.policies:     'x-ms-arm-service-request-id': 'c98f1702-e3dd-4247-a900-12e0da4053fc'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '11997'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'SOUTHCENTRALUS:20240208T173810Z:d906b2f5-d1a8-48e6-a143-9209c39e1606'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 6A4B2D7636CA4526980484C4816CB6E4 Ref B: SN4AA2022303037 Ref C: 2024-02-08T17:38:10Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 08 Feb 2024 17:38:09 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "name": "name",
  "id": "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name",
  "etag": "W/\"...\"",
  "type": "Microsoft.Network/bastionHosts",
  "location": "eastus",
  "tags": {},
  "properties": {
    "provisioningState": "Succeeded",
    "dnsName": "bst-....bastion.azure.com",
    "scaleUnits": 2,
    "enableTunneling": true,
    "enableIpConnect": false,
    "enableFileCopy": false,
    "disableCopyPaste": false,
    "enableShareableLink": false,
    "ipConfigurations": [
      {
        "name": "configuration",
        "id": "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name/bastionHostIpConfigurations/configuration",
        "etag": "W/\"...\"",
        "type": "Microsoft.Network/bastionHosts/bastionHostIpConfigurations",
        "properties": {
          "provisioningState": "Succeeded",
          "privateIPAllocationMethod": "Dynamic",
          "publicIPAddress": {
            "id": "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/name-public-ip"
          },
          "subnet": {
            "id": "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/AzureBastionSubnet"
          }
        }
      }
    ]
  },
  "sku": {
    "name": "Standard"
  }
}
cli.azext_bastion.tunnel: Creating a socket on port: 0
cli.azext_bastion.tunnel: Setting socket options
cli.azext_bastion.tunnel: Binding to socket on local address and port
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 664, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 729, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 698, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 334, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 166, in ssh_bastion_host
    tunnel_server = _get_tunnel(cmd, bastion, bastion_endpoint, target_resource_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 358, in _get_tunnel
    tunnel_server = TunnelServer(cmd.cli_ctx, "localhost", port, bastion, bastion_endpoint, vm_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 62, in __init__
    self.sock.bind((self.local_addr, self.local_port))
OSError: [Errno 49] Can't assign requested address

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: [Errno 49] Can't assign requested address
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 664, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 729, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 698, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 334, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 166, in ssh_bastion_host
    tunnel_server = _get_tunnel(cmd, bastion, bastion_endpoint, target_resource_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 358, in _get_tunnel
    tunnel_server = TunnelServer(cmd.cli_ctx, "localhost", port, bastion, bastion_endpoint, vm_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 62, in __init__
    self.sock.bind((self.local_addr, self.local_port))
OSError: [Errno 49] Can't assign requested address
az_command_data_logger: [Errno 49] Can't assign requested address
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 664, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 729, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 698, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 334, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 166, in ssh_bastion_host
    tunnel_server = _get_tunnel(cmd, bastion, bastion_endpoint, target_resource_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 358, in _get_tunnel
    tunnel_server = TunnelServer(cmd.cli_ctx, "localhost", port, bastion, bastion_endpoint, vm_id, resource_port)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/user/.azure/cliextensions/bastion/azext_bastion/tunnel.py", line 62, in __init__
    self.sock.bind((self.local_addr, self.local_port))
OSError: [Errno 49] Can't assign requested address
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x105dc6ca0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 2.009 seconds (init: 0.137, invoke: 1.872)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/__main__.py", line 62, in <module>
    raise ex
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/__main__.py", line 55, in <module>
    sys.exit(exit_code)
SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/decorators.py", line 79, in _wrapped_func
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config
    show_secrets_warning = _get_config().getboolean('clients', 'show_secrets_warning', fallback=None)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/knack/config.py", line 147, in getboolean
    raise ValueError('Not a boolean: {}'.format(val))
ValueError: Not a boolean: None

telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 7445 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/local/Cellar/azure-cli/2.57.0/libexec/bin/python /usr/local/Cellar/azure-cli/2.57.0/libexec/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /Users/user/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Azure Cloud Shell:

cli.knack.cli: Command arguments: ['network', 'bastion', 'ssh', '--name', 'name', '--resource-group', 'rg', '--target-resource-id', '/subscriptions/50a06a01-c329-43f2-9032-0dda11e26d36/resourceGroups/rg/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss/virtualMachines/0', '--auth-type', 'AAD', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f78879af1f0>, <function OutputProducer.on_global_arguments at 0x7f78878c9d30>, <function CLIQuery.on_global_arguments at 0x7f7887861310>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_bastion']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: network                   0.601       115       353
cli.azure.cli.core: privatedns                0.019        14        60
cli.azure.cli.core: Total (2)                 0.620       129       413
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: ai-examples               0.072         1         1  /usr/lib/python3.9/site-packages/azure-cli-extensions/ai-examples
cli.azure.cli.core: bastion                   0.008         2         9  /home/user/.azure/cliextensions/bastion
cli.azure.cli.core: Total (2)                 0.080         3        10  
cli.azure.cli.core: Loaded 130 groups, 423 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : network bastion ssh
cli.azure.cli.core: Command table: network bastion ssh
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f7886d075e0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/user/.azure/commands/2024-02-08.17-58-24.network_bastion_ssh.3793.log'.
az_command_data_logger: command args: network bastion ssh --name {} --resource-group {} --target-resource-id {} --auth-type {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f7886cad1f0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f7886ce31f0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f7886c850d0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f78878c9dc0>, <function CLIQuery.handle_query_parameter at 0x7f78878613a0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f7886c85040>]
az_command_data_logger: extension name: bastion
az_command_data_logger: extension version: 0.3.0
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/user/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/user/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/.../discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/.../v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/.../kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: ...
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '...'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network bastion ssh'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --resource-group --target-resource-id --auth-type --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.56.0 (RPM) (AAZ) azsdk-python-core/1.28.0 Python/3.9.14 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name?api-version=2022-01-01 HTTP/1.1" 403 480
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '480'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '...'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '...'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTUS:20240208T175824Z:...'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 844C477A96774A6B896860A47056DE2B Ref B: SJC211051203021 Ref C: 2024-02-08T17:58:24Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 08 Feb 2024 17:58:23 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/home/user/.azure/cliextensions/bastion/azext_bastion/custom.py", line 144, in ssh_bastion_host
    bastion = Show(cli_ctx=cmd.cli_ctx)(command_args={
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/aaz/_command.py", line 155, in __call__
    return self._handler(*args, **kwargs)
  File "/home/user/.azure/cliextensions/bastion/azext_bastion/aaz/latest/network/bastion/_show.py", line 34, in _handler
    self._execute_operations()
  File "/home/user/.azure/cliextensions/bastion/azext_bastion/aaz/latest/network/bastion/_show.py", line 61, in _execute_operations
    self.BastionHostsGet(ctx=self.ctx)()
  File "/home/user/.azure/cliextensions/bastion/azext_bastion/aaz/latest/network/bastion/_show.py", line 85, in __call__
    return self.on_error(session.http_response)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/aaz/_operation.py", line 332, in on_error
    raise HttpResponseError(response=response, error_format=error_format)
azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.

cli.azure.cli.core.azclierror: (AuthorizationFailed) The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.
az_command_data_logger: (AuthorizationFailed) The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'user' with object id '...' does not have authorization to perform action 'Microsoft.Network/bastionHosts/read' over scope '/subscriptions/.../resourceGroups/rg/providers/Microsoft.Network/bastionHosts/name' or the scope is invalid. If access was recently granted, please refresh your credentials.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f7886d07820>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.078 seconds (init: 0.142, invoke: 0.936)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4494 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.9 /usr/lib/az/lib/python3.9/site-packages/azure/cli/telemetry/__init__.py /home/user/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

successful ssh connection to a vm under vmss

Environment Summary

Azure CLI:

azure-cli                         2.57.0

core                              2.57.0
telemetry                          1.1.0

Extensions:
bastion                            0.3.0
ssh                                2.0.2

Dependencies:
msal                              1.26.0
azure-mgmt-resource             23.1.0b2

Python location '/usr/local/Cellar/azure-cli/2.57.0/libexec/bin/python'
Extensions directory '/Users/user/.azure/cliextensions'

Python (Darwin) 3.11.7 (main, Dec  4 2023, 18:10:11) [Clang 15.0.0 (clang-1500.1.0.2.5)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Azure Cloud Shell:

azure-cli                         2.56.0 *

core                              2.56.0 *
telemetry                          1.1.0

Extensions:
ai-examples                        0.2.5
bastion                            0.3.0
ml                                2.22.0
ssh                                2.0.2

Dependencies:
msal                            1.24.0b2
azure-mgmt-resource             23.1.0b2

Python location '/usr/bin/python3.9'
Extensions directory '/home/user/.azure/cliextensions'
Extensions system directory '/usr/lib/python3.9/site-packages/azure-cli-extensions'

Python (Linux) 3.9.14 (main, Oct 12 2023, 19:48:32) 
[GCC 11.2.0]

Legal docs and information: aka.ms/AzureCliLegal


You have 2 update(s) available. They will be updated with the next build of Cloud Shell.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[gdebezpredel]

Update:
I was able to get past these errors by fixing 2 things:

1. setting the correct subscription on azure cli az account set --subscription "subscription"
2. Fixing /etc/hosts file by adding a 127.0.0.1 localhost entry. It had 127.0.0.1 kubernetes.docker.internal instead because of docker desktop
   But I'm still seeing an error, though it's different:

> az network bastion ssh --name name --resource-group rg --target-resource-id id --auth-type AAD       
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
/var/folders/w0/dir1/T/dir2 contains sensitive information (id_rsa, id_rsa.pub). Please delete once this certificate is no longer being used.
Generated SSH certificate /var/folders/w0/dir1/T/dir2/id_rsa.pub-aadcert.pub is valid until 2024-02-08 16:35:37 in local time.
user@host@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Is user@host@localhost expected? My AAD username is user@host
I have the following roles assigned to me Contributor, Virtual Machine User Login