Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets using key-vault is broken: performing CreateOrUpdate: unexpected │ status 400 (400 Bad Request) with error #1159

Closed
1 of 3 tasks
davidkarlsen opened this issue May 5, 2024 · 3 comments
Closed
1 of 3 tasks

Secrets using key-vault is broken: performing CreateOrUpdate: unexpected │ status 400 (400 Bad Request) with error #1159

davidkarlsen opened this issue May 5, 2024 · 3 comments
Labels
bug Something isn't working In progress Solution/feature is being worked on

Comments

@davidkarlsen
Copy link

davidkarlsen commented May 5, 2024
edited
Loading

Please provide us with the following information:

This issue is a: (mark with an x)

  • bug report -> please search issues before submitting
  • documentation issue or request
  • regression (a behavior that used to work and stopped in a new release)

Issue description

Accessing secrets backed with keyvault fails with:

│ updating Container App (Subscription:
│ "xxxx"
│ Resource Group Name: "sre-bs-test-nore-rg"
│ Container App Name: "backstage"): performing CreateOrUpdate: unexpected
│ status 400 (400 Bad Request) with error:
│ InvalidParameterValueInContainerTemplate: The following field(s) are either
│ invalid or missing. Field 'configuration.secrets' is invalid with details:
│ 'Invalid value: "postgres-password": Unable to get value using Managed
│ identity
│ /subscriptions/xxxx/resourceGroups/sre-bs-test-nore-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sre-bs-test-nore-uai
│ for secret postgres-password. Error: unable to fetch secret
'postgres-password' using Managed identity
'/subscriptions/xxxx/resourceGroups/sre-bs-test-nore-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/sre-bs-test-nore-uai'';.

some facts:

  • container-apps environment is assigned UMI
  • container-app is assigned same UMI + additional UMI (in order to be able to pull from ACR)
  • container-apps environment uses an infra-subnet, and is using a Consumption profile
  • the container-apps environment can use the UMI to fetch certificates for custom domain-suffix just fine
  • the UMI has Key Vault Secrets User role scoped to the whole KV
  • KV uses RBAC-model
  • KV is using private-endpoint, same vnet
  • Access to KV from container-apps subnet is not blocked by NSG
  • KV also has "Allow trusted Microsoft services to bypass this firewall"
  • it fails if I use a versioned or non-versioned secret
  • subnet where container apps runs also has service-endpoints for: Microsoft.AzureActiveDirectory and Microsoft.KeyVault - but the latter should not have any effect in this case due to the private-endpoint

Steps to reproduce

  1. create according to bug
  2. see it fail

Expected behavior [What you expected to happen.]
should fetch secret

Actual behavior [What actually happened.]
See description

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

fails using portal or terraform
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label May 5, 2024
@davidkarlsen davidkarlsen changed the title Secrets via keyvault is broken Secrets using key-vault is broken May 5, 2024
@davidkarlsen davidkarlsen changed the title Secrets using key-vault is broken Secrets using key-vault is broken: performing CreateOrUpdate: unexpected │ status 400 (400 Bad Request) with error May 5, 2024
@anrub anrub mentioned this issue May 10, 2024
Closed
3 tasks
@davidkarlsen davidkarlsen mentioned this issue May 22, 2024
Open
2 tasks
@davidkarlsen
Copy link
Author

davidkarlsen commented May 22, 2024
edited
Loading

Are there any grown-ups at home here at all?

@howang-ms
Copy link
Collaborator

Sorry for the delay. We have investigated this issue, and it is related to validate code cannot process the secret with large expiration date. We will fix the issue ASAP. In the meantime, you can choose a nearer expiration date for your secret as a workaround.

@anthonychu anthonychu added bug Something isn't working In progress Solution/feature is being worked on and removed Needs: triage 🔍 Pending a first pass to read, tag, and assign labels May 31, 2024
@anthonychu
Copy link
Member

Fix has been deployed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working In progress Solution/feature is being worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidkarlsen @anthonychu @howang-ms