Upgrade from 1.19 to 2.x - "msg": "Find the key vault secret got exception, exception as The current credential is not configured to acquire tokens for tenant xxx.

[Poil]

SUMMARY

Hi,

After upgrading to 2.x I have this error message when trying to retrieve a keyvault secret via azure.azcollection.azure_rm_keyvaultsecret_info

We pass these parameters

      - name: Get Private Key to connect to VMs
        azure.azcollection.azure_rm_keyvaultsecret_info:
          client_id: "{{ AZURE_CLIENT_ID }}"
          secret: "{{ AZURE_SECRET }}"
          subscription_id: "{{ AZURE_SUBSCRIPTION_ID }}"
          tenant: "{{ AZURE_TENANT }}"
          vault_uri: "{{ AZURE_KEYVAULT_URI }}"
          name: "{{ item }}"
        delegate_to: localhost
        with_items:
          - "xxx-{{ env_to_deploy }}-ssh-private-key"
        register: returnedSecrets
        # no_log: false

ISSUE TYPE

• Documentation Report

Debug

The full traceback is:
  File "/tmp/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload_7y9bc5vf/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 297, in get_secret
  File "/usr/local/lib/python3.11/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
    bundle = self._client.get_secret(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
    return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 760, in get_secret
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 213, in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/_base.py", line 70, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_redirect.py", line 181, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_retry.py", line 467, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_authentication.py", line 124, in send
    request_authorized = self.on_challenge(request, response)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 112, in on_challenge
    self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
  File "/usr/local/lib/python3.11/dist-packages/azure/core/pipeline/policies/_authentication.py", line 102, in authorize_request
    self._token = self._credential.get_token(*scopes, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/get_token_mixin.py", line 83, in get_token
    token = self._acquire_token_silently(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/decorators.py", line 79, in wrapper
    return fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/client_credential_base.py", line 21, in _acquire_token_silently
    app = self._get_app(**kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/msal_credentials.py", line 85, in _get_app
    tenant_id = resolve_tenant(
                ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/azure/identity/_internal/utils.py", line 96, in resolve_tenant
    raise ClientAuthenticationError(
  localhost failed | item: xxx-test-ssh-private-key: {
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "cloud_environment": "AzureCloud",
            "disable_instance_discovery": false,
            "log_mode": null,
            "log_path": null,
            "name": "pb2c-test-ssh-private-key",
            "password": null,
            "profile": null,
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "show_deleted_secret": false,
            "subscription_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "tags": null,
            "tenant": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "thumbprint": null,
            "vault_uri": "https://kv-pb2c-test-claranet.vault.azure.net/",
            "version": "current",
            "x509_certificate_path": null
        }
    },
    "item": "xxxx-test-ssh-private-key",
    "msg": "Find the key vault secret got exception, exception as The current credential is not configured to acquire tokens for tenantxxxxxxxxxxxxxxxxxxxxxxxx. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add \"*\" to additionally_allowed_tenants to allow acquiring tokens for any tenant."
}

COMPONENT NAME

azure_rm_keyvaultsecret_info

ANSIBLE VERSION

ansible [core 2.15.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

[Poil]

Same issue with latest ansible version

ansible [core 2.16.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (/usr/bin/python3)
  jinja version = 3.1.3
  libyaml = True

[Poil]

If I patch site-packages/azure/identity/_internal/utils.py with self._additionally_allowed_tenants = additionally_allowed_tenants or ['*'] it works

It looks like that the tenant is not passed to the identity library, I don't find why

[Fred-sun]

@Poil I switched the version test and did not encounter the problem you mentioned, but according to the error log, I encountered an error when obtaining authorization. Could you please provide the version of 'azure-identity'?

[Poil]

Hi,

I installed all the requirements from your requirements-azure.txt of collection v2.3.0

$ pip freeze |grep identi
azure-identity==1.14.0

[Fred-sun]

You use 'az login' or credential files?

[Fred-sun]

Return value for local execution：

TASK [debug] ****************************************************************************************************
ok: [localhost] => {
    "facts": {
        "changed": false,
        "failed": false,
        "secrets": [
            {
                "attributes": {
                    "created": "2024-04-24T07:36:11+00:00",
                    "enabled": true,
                    "expires": "2030-03-04T04:05:06+00:00",
                    "not_before": "2000-01-02T01:02:03+00:00",
                    "recovery_level": "Recoverable+Purgeable",
                    "updated": "2024-04-24T07:36:11+00:00"
                },
                "content_type": "Content Type Secret",
                "secret": "mysecret",
                "sid": "xxxxxxxxxxxxxxxxxxx",
                "tags": {
                    "delete": "on-exit",
                    "testing": "test"
                },
                "version": "543a295656dd42d1b394fb174d32c2f4"
            }
        ]
    }
}

[Poil]

We passed the parameter

    azure.azcollection.azure_rm_keyvaultsecret_info:
          client_id: "{{ AZURE_CLIENT_ID }}"
          secret: "{{ AZURE_SECRET }}"
          subscription_id: "{{ AZURE_SUBSCRIPTION_ID }}"
          tenant: "{{ AZURE_TENANT }}"
          vault_uri: "{{ AZURE_KEYVAULT_URI }}"
          name: "{{ item }}"

perhaps I'm wrong but it looks like keyvault module don't use the tenant_id passed if I grep in the python module, it looks like to be extracted from the kv url ? self.tenant_id = uri_path.split("/")[0] or None

[Poil]

When using azure cli to auth it works

[Fred-sun]

I can git the secret through the parameters! It works!

[Fred-sun]

@Poil Are you use multi-tenant to authentication? is the tenant you configured in the parameters consistent with the tenant in you 'az account show'? According to the error, it is the case of tenant. Thank you !

[Fred-sun]

kindly ping!

[Poil]

Hi,

Sorry I'm in holidays :)

We use a service principal, so not multi tenant

Regards

[Fred-sun]

@Poil I am testing locally, and only if you use the wrong tenant id will you encounter such an error, When you come back from your vacation, could you please check and confirm? Thank you!

[Fred-sun]

@Poil In addition, Do you manage resources under different subscription ids?