Terraform-provider-azurerm: Terraform AzureRM Provider fails to authenticate with Azure

Created on 25 Jan 2020 · 4Comments · Source: terraform-providers/terraform-provider-azurerm

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

TFE 0.12.2
AzureRM : 1.41.0
Vault : 2.7.1

Affected Resource(s)

Terraform Authentication

Terraform Configuration Files

I use a VAULT provider (via a module) to get the temp credentials for a service principal in Azure, per the debug logs these are being returned successfully. Then the provider block executes and fails to log in with those credentials. Manually looking in AzureAD App Registrations shows the given client_id DOES exist.

provider "azurerm" {
  subscription_id = "${var.subscription_id}"
  client_id       = "${module.vaultprovider.client_id}"
  client_secret   = "${module.vaultprovider.client_secret}"
  tenant_id       = "${var.tenant_id}"
}

Debug Output

Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"unauthorized_client\"

Expected Behavior

Authentication to Azure was successful, given valid credentials.

Actual Behavior

Steps to Reproduce

Using Terraform Enterprise:

call vault to get temp creds
use returned creds to auth to azure via azurerm provider block
Note: using the az cli works because there is enough time between service principal creds being created and making the cli call for the creds to propagate.

Important Factoids

This works, sometimes... about 1 in 20 runs is good. The rest all fail with this error and so I know it works but it is a timing issue between the temporary creds getting created and the provider block using them.

authentication bug upstream

Source

jmyers82

👍4

All 4 comments

I'm also experiencing this issue as of AzureRM 1.38, prior versions work fine.

ryanps1 on 11 Feb 2020

hi @jmyers82 @ryanps1

Thanks for opening this issue.

Since this access token's being generated from Vault it appears this token isn't fully provisioned before being returned - as such this appears to be something that Vault is doing prior to returning the token.

Due to this unfortunately this bug would need to be fixed within Vault rather than the Azure Provider - and as such I'm going to close this issue for the moment; but would you mind reopening this issue on the Vault repository where someone should be able to take a look?

Thanks!

tombuildsstuff on 11 Feb 2020

👀1

hi @jmyers82 @ryanps1

Thanks for opening this issue.

Since this access token's being generated from Vault it appears this token isn't fully provisioned before being returned - as such this appears to be something that Vault is doing prior to returning the token.

Due to this unfortunately this bug would need to be fixed within Vault rather than the Azure Provider - and as such I'm going to close this issue for the moment; but would you mind reopening this issue on the Vault repository where someone should be able to take a look?

Thanks!

Hi Tom,

I'm actually not using Vault for these at all, I'm logging in with a service principal through environment variables. Admittedly these values are being populated from an Azure KeyVault as part of an Azure DevOps pipeline, but it doesn't seem as though it's specific to just Hashicorp Vault.

Cheers

ryanps1 on 11 Feb 2020

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!