Issue with federated credentials for pull requests via github actions

Unsure if there are new requirements for my app registration for terraform to work on a pull request, but we are getting this error suddenly when including tfplan for our pull requests. We confirmed that just running the workflow works from main branch. Let me know if anyone else is seeing this.

GitHub Actions Error: Failed to Get Existing Workspaces


This workflow worked a few days ago, but I’m currently encountering an issue with Terraform when attempting to get existing workspaces. I’m unsure if there were any permission changes within Azure that I need to apply to my Terraform app registration. I have confirmed that we have the Storage Blob Data Contributor role and that the federated identity for presented assertion on pull requests exists. The error only happens on pull requests and started recently.

Error Message

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account “storageAccountName”: autorest/Client#Do: Preparing request failed: StatusCode=0 – Original Error: clientCredentialsToken: received HTTP status 401 with response: “error”:“invalid_client”,“error_description”:“AADSTS700213: No matching federated identity record found for presented assertion subject ‘repo:orgName/repositoryName:pull_request’. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. Workload identity federation - Microsoft Entra Workload ID | Microsoft Learn Trace ID: traceId Correlation ID: idNumber Timestamp: 2024-06-13 15:40:46Z”,“error_codes”:[700213],“timestamp”:“2024-06-13 15:40:46Z”,“trace_id”:“traceId”,“correlation_id”:“idNumber”

Steps to Reproduce

  1. Trigger a pull request that initiates the GitHub Actions workflow.
  2. Observe the error during the Terraform step.

Troubleshooting Steps Taken

  • Verified that the Storage Blob Data Contributor role is assigned.
  • Confirmed the existence of federated identity credentials for the presented assertion on pull requests.

Additional Information

Request for Assistance

Has anyone else encountered this issue? If so, how did you resolve it? Any help or insights would be greatly appreciated.

Hi @raveheart1,

The error message you described suggests that you’ve correctly configured Terraform to pass the GitHub-generated JSON Web Token to the Azure provider or Azure state storage backend, and that component is in turn passing that token to the Azure API, but that the Azure API is then rejecting it.

Unfortunately then I think this is most likely a disagreement between your GitHub settings and your Azure settings, with Terraform acting only as an intermediary passing on what it was told to pass on.

Someone in this forum may still be able to help if they’ve run into a similar problem, but if you haven’t already I’d suggest asking about this in a more general Azure-related forum, and/or contacting Azure’s own support team, so that you’re more likely to find someone who is familiar with Azure’s workload identity federation features, independently of Terraform.

If you doubt my guess that this is a general GitHub-to-Azure problem rather than a Terraform-specific problem – which is reasonable, since I don’t really have enough information to know that for sure – it might help to try to reproduce this problem using the Azure CLI or some other non-Terraform-specific Azure client. If you try that and encounter a similar error then that would seem to confirm my guess. If you try it and succeed with a different client then the settings you used for that successful request might provide a clue as to what you’d need to change in your Terraform configuration to get a similar effect.