Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misleading error when credential secret is not in expected format #57

Closed
turkenh opened this issue Oct 18, 2022 · 7 comments
Closed

Misleading error when credential secret is not in expected format #57

turkenh opened this issue Oct 18, 2022 · 7 comments
Labels
enhancement New feature or request needs:information needs:triage

Comments

@turkenh
Copy link
Contributor

turkenh commented Oct 18, 2022
edited

What problem are you facing?

Provider Azure returns a misleading error when cloud credential secret is not in the correct format.

When I have a provider config secret in the following format (couldn't remember the exact az command that I've used to generate it):

{
  "appId": "<REDACTED>",
  "displayName": "<REDACTED>",
  "password": "<REDACTED>",
  "tenant": "<REDACTED>",
  "subscriptionId": "<REDACTED>"
}

I am seeing the following error in the MR events:

managed/azure.upbound.io/v1beta1, kind=resourcegroup  cannot run refresh: refresh failed: building AzureRM Client: please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: launching Azure CLI: exec: "az": executable file not found in $PATH.

How could Official Azure Provider help solve your problem?

Produce a more user friendly error indicating that secret is not in the expected format.

FTR, expected secret needs to be generated with az ad sp create-for-rbac --sdk-auth --role Owner --scopes /subscriptions/<id> and should be in the following format:

{
    "clientId": "<REDACTED>",
    "clientSecret": "<REDACTED>",
    "subscriptionId": "<REDACTED>",
    "tenantId": "<REDACTED>",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
}
@turkenh turkenh added the enhancement New feature or request label Oct 18, 2022
@turkenf
Copy link
Collaborator

turkenf commented Apr 13, 2023

@turkenh can you confirm whether this issue is still relevant or applicable?

@ytsarev
Copy link
Collaborator

ytsarev commented Apr 18, 2023

@turkenf i'm pretty sure it's still the case, you can easily reproduce it by providing slightly broken credentials json

@sspreitzer
Copy link

I spent hours debugging why crossplane does not work and the azure cli az is missing until I stumbled upon this GitHub issue.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2024

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@github-actions github-actions bot added the stale label May 5, 2024
@github-actions GitHub Actions
Copy link

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 19, 2024
@ytsarev
Copy link
Collaborator

ytsarev commented May 20, 2024

/fresh reopening until we validate otherwise

@ytsarev ytsarev reopened this May 20, 2024
@github-actions github-actions bot removed the stale label May 21, 2024
@ytsarev
Copy link
Collaborator

ytsarev commented May 23, 2024

Just checked with the latest https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.2.0/

For the broken credentials secret I get that looks clear enough:

  Type     Reason                   Age              From                                                  Message
  ----     ------                   ----             ----                                                  -------
  Warning  CannotConnectToProvider  4s (x4 over 9s)  managed/azure.upbound.io/v1beta1, kind=resourcegroup  cannot initialize the Terraform plugin SDK async external client: cannot get terraform setup: failed to prepare terraform.Setup: cannot unmarshal Azure credentials as JSON: unexpected end of JSON input

And for the secret with malformed credentials

Events:
  Type     Reason                   Age   From                                                  Message
  ----     ------                   ----  ----                                                  -------
  Warning  CannotConnectToProvider  4s    managed/azure.upbound.io/v1beta1, kind=resourcegroup  cannot initialize the Terraform plugin SDK async external client: cannot get terraform setup: failed to configure the no-fork Azure client: failed to configure the provider: [{0 building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app

So the event stream is clear enough and there is no az cli involved anymore

@ytsarev ytsarev closed this as completed May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs:information needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jeanduplessis @ytsarev @sspreitzer @turkenh @turkenf