[bug] AKV10032: Invalid issuer

[jellevandehaterd]

Describe the bug
After successfully deploying the launchpad and foundations the Rover is not able to 'login_as_launchpad' when running on GitHub actions.

To Reproduce
It occurs on GitHub actions, when running it locally with the same service principal it completes normally.
It is an intermittent fault, it can occur at every stage after the first launchpad and foundation are deployed.

Expected behavior
Not throwing a AKV10032: Invalid issuer error and continue.

Screenshots

  /$$$$$$   /$$$$$$  /$$$$$$$$       /$$$$$$$                                        
 /$$__  $$ /$$__  $$| $$_____/      | $$__  $$                                       
| $$  \__/| $$  \ $$| $$            | $$  \ $$  /$$$$$$  /$$    /$$/$$$$$$   /$$$$$$ 
| $$      | $$$$$$$$| $$$$$         | $$$$$$$/ /$$__  $$|  $$  /$$/$$__  $$ /$$__  $$
| $$      | $$__  $$| $$__/         | $$__  $$| $$  \ $$ \  $$/$$/ $$$$$$$$| $$  \__/
| $$    $$| $$  | $$| $$            | $$  \ $$| $$  | $$  \  $$$/| $$_____/| $$      
|  $$$$$$/| $$  | $$| $$            | $$  | $$|  $$$$$$/   \  $/ |  $$$$$$$| $$      
 \______/ |__/  |__/|__/            |__/  |__/ \______/     \_/   \_______/|__/      
                                                                                     
                                                                                                                                                           
              version: aztfmod/rover:2010.2808

 Expanding variable files: /__w/cloud-management/cloud-management/landingzones/caf_networking/scenario/100-single-region-hub/*.tfvars

mode                          : 'landingzone'
terraform command output file : ''
tf_action                     : 'apply'
command and parameters        : '-var-file /__w/cloud-management/cloud-management/landingzones/caf_networking/scenario/100-single-region-hub/configuration.tfvars -var-file /__w/cloud-management/cloud-management/landingzones/caf_networking/scenario/100-single-region-hub/network_security_group_definition.tfvars -parallelism=30'
level (current)               : 'level2'
environment                   : '343564964'
workspace                     : 'tfstate'
tfstate                       : '100-single-region-hub.tfstate'

@calling process_actions
@calling verify_azure_session
Checking existing Azure session
@calling verify_parameters
landingzone                   : '/__w/cloud-management/cloud-management/landingzones/caf_networking'
@calling_deploy
@calling get_storage_id

launchpad already installed

@calling deploy_from_remote_state
Connecting to the launchpad
@calling_get_logged_user_object_id
 Logged in rover app object_id: 01234567-1234-1234-1234-1234567890
 Logged in rover app object_id: 01234567-1234-1234-1234-1234567890
 - logged in Azure AD application:  GitHub-Actions-Non-Prod
@calling login_as_launchpad
 - keyvault_name: null

Getting launchpad coordinates:
AKV10032: Invalid issuer. Expected one of https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, https://sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/, https://sts.windows.net/975f013f-7f24-47e8-a7d3-abc4752bf346/, found https://sts.windows.net/***/.
 - subscription id: 
Error on or near line 326: Not authorized to manage landingzones. User must be member of the security group to access the launchpad and deploy a landing zone; exiting with status 102

Configuration (please complete the following information):

• GitHub Actions
• rover aztfmod/rover:2010.2808

Additional context
I created an issue for the rover too.

[arnaudlh]

Hi @jellevandehaterd seems to be related to GHA as we don't repo locally or in Azure DevOps.
Will continue investigating and keep you posted.

[arnaudlh]

Closing as no repro anymore. Feel free to reopen if occurs again.