Azure Service Principal login failing (AADSTS7000215)

Hi all,

I have been using a service principal to deploy Azure resources for a while, but yesterday, after the secret expired and was regenerated, I can no longer authenticate. I went into the app registration in Entra, generated a new secret, updated the $env:ARM_CLIENT_SECRET variable and tried connecting again using the command ‘terraform init’. It appears to do nothing for 10-15 minutes before timing out and giving me the message:

Error: Failed to get existing workspaces: autorest/Client#Do: Preparing request failed: StatusCode=0 – Original Error: clientCredentialsToken: received HTTP status 401 with response: {“error”:“invalid_client”,“error_description”:“AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret IDusCode=0 – Original Error: clientCredentialsT, for a secret added to app ‘aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa’. Trace ID: fa7e86b6-d5c6-40ADSTS7000215: Invalid client secret provided. 35-a416-9b9911587a00 Correlation ID: ea77a06a-1df9-434e-8243-a13c2ce82663 Timestamp: 2024-09-1ID, for a secret added to app 'aaaaaaaa-aaaa-aa 10:00:03Z”,“error_codes”:[7000215],“timestamp”:“2024-09-10 10:00:03Z”,“trace_id”:“fa7e86b6-da-1df9-434e-8243-a13c2ce82663 Timestamp: 2024-5c6-4035-a416-9b9911587a00”,“correlation_id”:“ea77a06a-1df9-434e-8243-a13c2ce82663”,“error_urib6-d5c6-4035-a416-9b9911587a00”,“correlation_i”:“https://login.microsoftonline.com/error?code=7000215”}

If I use the command ‘az login --service-principal -u “$ENV:ARM_CLIENT_ID” -p “$env:ARM_CLIENT_SECRET” --tenant “$env:ARM_TENANT_ID”’ I can sign in OK through the VSCode terminal.

I can see that the Entra ID authentication is failing when I run the terraform commands, accessing the Azure Storage holding the Terraform state. However, if I try the Azure CLI command ‘az storage blob list --account-name portalconfig --container-name tfstate --output table --auth-mode login’ I can see the various blobs stored in the account.

I have deleted all the service principal secrets and created just one new one. I’ve rebooted the machine I was using, deleted the local .terraform folder in the project folder that I’m working on. I set up VS Code on a new machine and installed all the prerequisites and downloaded my code from Github, set the environment variables and tried from a new computer with a clean build. I’ve removed the role assigned to the service principal on the storage and reassigned the Storage Blob Owner role. But now I’m running out of ideas and with a project deadline approaching, I thought I’d reach out to the community for help.

Hopefully someone has an idea what’s going on.

Thanks.

I’m a muppet!! I was using the environment variables to set the secret etc. which were being used to deploy the resources, but I’d also added the secret to the backend “azurerm” block to specify the shared storage (probably not best practice). I removed that and it’s now working.
Doh!