I have this odd situation where I can successfully get Azure credentials via the Vault Azure Secret Engine.
When I use it in the Azure Provider directly, it finds the credentials invalid. But when I use those same credentials directly, it works fine.
In addition, those same credentials fail validation in the data.vault_azure_access_credentials resource - yet I can use it fine in when I directly use the credentials directly.
Does anyone have any ideas where else I should look?
My code sample
provider "vault" {
address = "<vault address>"
auth_login {
path = "auth/approle/login"
parameters = {
role_id = "xxx-xxx-xxx-xx-xxx"
secret_id = "yyyy-yyyy-yyyy-yyyy-yyyyyy"
}
}
}
data "vault_azure_access_credentials" "azure" {
backend = "azure"
role = "terraform"
validate_creds = true
num_sequential_successes = 3
num_seconds_between_tests = 5
max_cred_validation_seconds = 30
}
provider "azurerm" {
disable_terraform_partner_id = true
tenant_id = var.tenant_id
subscription_id = var.subscription_id
client_id = data.vault_azure_access_credentials.azure.client_id
client_secret = data.vault_azure_access_credentials.azure.client_secret
features {}
}
resource "azurerm_resource_group" "test" {
name = "test"
location = "eastus"
}
The error that I get is when i run terraform plan (with validation off)
Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000215: Invalid client secret is provided.\\r\\nTrace ID: xxx-yyy-trace-id-123\\r\\nCorrelation ID: xxx-yyy-ccc-id-123\\r\\nTimestamp: 2021-04-24 17:38:26Z\",\"error_codes\":[7000215],\"timestamp\":\"2021-04-24 17:38:26Z\",\"trace_id\":\"xxx-yyy-trace-id-123\",\"correlation_id\":\"xxx-yyy-ccc-id-123\",\"error_uri\":\"https://login.microsoftonline.com/error?code=7000215\"} Endpoint https://login.microsoftonline.com/abc-xyz-123/oauth2/token?api-version=1.0", resp:(*http.Response)(0xc001253c20)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net/abc-xyz-123/servicePrincipals?%24filter=appId+eq+%aaa-bbb-ccc%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc001253c20)}
With validation “enabled”
2021-04-24T10:42:13.849-0700 [DEBUG] plugin.terraform-provider-vault_v2.19.1_x4: 2021/04/24 10:42:13 [DEBUG] 0 sequential successes obtained, waiting 5 seconds to next test client ID and secret
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "local.client_id (expand)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" is waiting for "azurerm_resource_group.test (expand)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "output.test" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "output.test"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "root" is waiting for "meta.count-boundary (EachMode fixup)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "azurerm_resource_group.test (expand)" is waiting for "provider[\"registry.terraform.io/hashicorp/azurerm\"]"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "local.client_secret (expand)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" is waiting for "local.client_id (expand)"
2021/04/24 10:42:17 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/vault\"] (close)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021-04-24T10:42:19.035-0700 [DEBUG] plugin.terraform-provider-vault_v2.19.1_x4: 2021/04/24 10:42:19 [DEBUG] 0 sequential successes obtained, waiting 5 seconds to next test client ID and secret
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "local.client_secret (expand)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/vault\"] (close)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "azurerm_resource_group.test (expand)" is waiting for "provider[\"registry.terraform.io/hashicorp/azurerm\"]"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "output.test" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" is waiting for "local.client_id (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "local.client_id (expand)" is waiting for "data.vault_azure_access_credentials.azure (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "output.test"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" is waiting for "azurerm_resource_group.test (expand)"
2021/04/24 10:42:22 [TRACE] dag/walk: vertex "root" is waiting for "meta.count-boundary (EachMode fixup)"
2021-04-24T10:42:24.220-0700 [DEBUG] plugin.terraform-provider-vault_v2.19.1_x4: 2021/04/24 10:42:24 [DEBUG] giving up due to only having 0 sequential successes and running out of time
2021/04/24 10:42:24 [TRACE] vertex "data.vault_azure_access_credentials.azure": visit complete
2021/04/24 10:42:24 [TRACE] vertex "data.vault_azure_access_credentials.azure": dynamic subgraph encountered errors
2021/04/24 10:42:24 [TRACE] vertex "data.vault_azure_access_credentials.azure": visit complete
2021/04/24 10:42:24 [TRACE] vertex "data.vault_azure_access_credentials.azure (expand)": dynamic subgraph encountered errors
2021/04/24 10:42:24 [TRACE] vertex "data.vault_azure_access_credentials.azure (expand)": visit complete
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "local.client_secret (expand)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "output.test" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "local.client_id (expand)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/vault\"] (close)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/azurerm\"]" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "azurerm_resource_group.test (expand)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/04/24 10:42:24 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/04/24 10:42:24 [INFO] backend/local: plan operation completed
2021/04/24 10:42:24 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021/04/24 10:42:24 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: despite trying for 30 seconds, 5 seconds apart, we were never able to get 3 successes in a row
Any help would be greatly appreciated - it is really puzzling where else I should investigate.