Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade from 1.19 to 2.x - "msg": "Find the key vault secret got exception, exception as The current credential is not configured to acquire tokens for tenant xxx. #1539

Open
Poil opened this issue Apr 23, 2024 · 15 comments
Labels
medium_priority Medium priority not a bug Not a bug question Further information is requested work in In trying to solve, or in working with contributors

Comments

@Poil
Copy link

Poil commented Apr 23, 2024

SUMMARY

Hi,

After upgrading to 2.x I have this error message when trying to retrieve a keyvault secret via azure.azcollection.azure_rm_keyvaultsecret_info

We pass these parameters

      - name: Get Private Key to connect to VMs
        azure.azcollection.azure_rm_keyvaultsecret_info:
          client_id: "{{ AZURE_CLIENT_ID }}"
          secret: "{{ AZURE_SECRET }}"
          subscription_id: "{{ AZURE_SUBSCRIPTION_ID }}"
          tenant: "{{ AZURE_TENANT }}"
          vault_uri: "{{ AZURE_KEYVAULT_URI }}"
          name: "{{ item }}"
        delegate_to: localhost
        with_items:
          - "xxx-{{ env_to_deploy }}-ssh-private-key"
        register: returnedSecrets
        # no_log: false
ISSUE TYPE
  • Documentation Report
Debug
The full traceback is:
  File "/tmp/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload_7y9bc5vf/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 297, in get_secret
  File "/usr/local/lib/python3.11/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
    bundle = self._client.get_secret(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
    return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 760, in get_secret
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 213, in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_redirect.py", line 181, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_retry.py", line 467, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_authentication.py", line 124, in send
    request_authorized = self.on_challenge(request, response)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 112, in on_challenge
    self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_authentication.py", line 102, in authorize_request
    self._token = self._credential.get_token(*scopes, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/get_token_mixin.py", line 83, in get_token
    token = self._acquire_token_silently(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/decorators.py", line 79, in wrapper
    return fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/client_credential_base.py", line 21, in _acquire_token_silently
    app = self._get_app(**kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/msal_credentials.py", line 85, in _get_app
    tenant_id = resolve_tenant(
                ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/utils.py", line 96, in resolve_tenant
    raise ClientAuthenticationError(
  localhost failed | item: xxx-test-ssh-private-key: {
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "cloud_environment": "AzureCloud",
            "disable_instance_discovery": false,
            "log_mode": null,
            "log_path": null,
            "name": "pb2c-test-ssh-private-key",
            "password": null,
            "profile": null,
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "show_deleted_secret": false,
            "subscription_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "tags": null,
            "tenant": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "thumbprint": null,
            "vault_uri": "https://kv-pb2c-test-claranet.vault.azure.net/",
            "version": "current",
            "x509_certificate_path": null
        }
    },
    "item": "xxxx-test-ssh-private-key",
    "msg": "Find the key vault secret got exception, exception as The current credential is not configured to acquire tokens for tenantxxxxxxxxxxxxxxxxxxxxxxxx. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add \"*\" to additionally_allowed_tenants to allow acquiring tokens for any tenant."
}
COMPONENT NAME

azure_rm_keyvaultsecret_info

ANSIBLE VERSION
ansible [core 2.15.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
@Poil
Copy link
Author

Poil commented Apr 23, 2024

Same issue with latest ansible version

ansible [core 2.16.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (/usr/bin/python3)
  jinja version = 3.1.3
  libyaml = True

@Poil
Copy link
Author

Poil commented Apr 24, 2024

If I patch site-packages/azure/identity/_internal/utils.py with self._additionally_allowed_tenants = additionally_allowed_tenants or ['*'] it works

It looks like that the tenant is not passed to the identity library, I don't find why

@Fred-sun
Copy link
Collaborator

@Poil I switched the version test and did not encounter the problem you mentioned, but according to the error log, I encountered an error when obtaining authorization. Could you please provide the version of 'azure-identity'?

@Fred-sun Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors labels Apr 24, 2024
@Poil
Copy link
Author

Poil commented Apr 24, 2024

Hi,

I installed all the requirements from your requirements-azure.txt of collection v2.3.0

$ pip freeze |grep identi
azure-identity==1.14.0

@Fred-sun
Copy link
Collaborator

You use 'az login' or credential files?

@Fred-sun
Copy link
Collaborator

Return value for local execution:

TASK [debug] ****************************************************************************************************
ok: [localhost] => {
    "facts": {
        "changed": false,
        "failed": false,
        "secrets": [
            {
                "attributes": {
                    "created": "2024-04-24T07:36:11+00:00",
                    "enabled": true,
                    "expires": "2030-03-04T04:05:06+00:00",
                    "not_before": "2000-01-02T01:02:03+00:00",
                    "recovery_level": "Recoverable+Purgeable",
                    "updated": "2024-04-24T07:36:11+00:00"
                },
                "content_type": "Content Type Secret",
                "secret": "mysecret",
                "sid": "xxxxxxxxxxxxxxxxxxx",
                "tags": {
                    "delete": "on-exit",
                    "testing": "test"
                },
                "version": "543a295656dd42d1b394fb174d32c2f4"
            }
        ]
    }
}

@Poil
Copy link
Author

Poil commented Apr 24, 2024

We passed the parameter

    azure.azcollection.azure_rm_keyvaultsecret_info:
          client_id: "{{ AZURE_CLIENT_ID }}"
          secret: "{{ AZURE_SECRET }}"
          subscription_id: "{{ AZURE_SUBSCRIPTION_ID }}"
          tenant: "{{ AZURE_TENANT }}"
          vault_uri: "{{ AZURE_KEYVAULT_URI }}"
          name: "{{ item }}"

perhaps I'm wrong but it looks like keyvault module don't use the tenant_id passed if I grep in the python module, it looks like to be extracted from the kv url ? self.tenant_id = uri_path.split("/")[0] or None

@Poil
Copy link
Author

Poil commented Apr 24, 2024

When using azure cli to auth it works

@Fred-sun
Copy link
Collaborator

I can git the secret through the parameters! It works!

@Fred-sun
Copy link
Collaborator

@Poil Are you use multi-tenant to authentication? is the tenant you configured in the parameters consistent with the tenant in you 'az account show'? According to the error, it is the case of tenant. Thank you !

@Fred-sun
Copy link
Collaborator

kindly ping!

@Fred-sun Fred-sun added question Further information is requested not a bug Not a bug labels Apr 28, 2024
@Poil
Copy link
Author

Poil commented Apr 28, 2024

Hi,

Sorry I'm in holidays :)

We use a service principal, so not multi tenant

Regards

@Fred-sun
Copy link
Collaborator

@Poil I am testing locally, and only if you use the wrong tenant id will you encounter such an error, When you come back from your vacation, could you please check and confirm? Thank you!

@Fred-sun
Copy link
Collaborator

Fred-sun commented May 6, 2024

@Poil In addition, Do you manage resources under different subscription ids?

@Fred-sun
Copy link
Collaborator

@Poil What version of Azure. azcollection do you have installed? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
medium_priority Medium priority not a bug Not a bug question Further information is requested work in In trying to solve, or in working with contributors
Projects
None yet
Development

No branches or pull requests

2 participants