Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lookup not working on AzureChinaCloud #382

Open
masterphenix opened this issue May 26, 2020 · 0 comments
Open

Lookup not working on AzureChinaCloud #382

masterphenix opened this issue May 26, 2020 · 0 comments

Comments

@masterphenix
Copy link

Hello,
I tried using this lookup on a Vault created on AzureChinaCloud, but it fails with error "Invalid credentials provided".

Playbook :

- name: "Play with Azure Key Vault"
  connection: local
  hosts: localhost
  gather_facts: false
    
  tasks:
  - name: Look up Azure Key Vault secret
    vars:
      url: 'https://mytestvault.vault.azure.cn'
      secretname: 'mysecret'
      client_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
      secret: "{{ lookup('env','AZURE_SECRET') }}"
      tenant: "{{ lookup('env','AZURE_TENANT') }}"
    debug: msg="secret: {{ lookup('azure_keyvault_secret', secretname,vault_url=url, client_id=client_id, secret=secret, tenant_id=tenant) }}"

In order to pinpoint the root cause of this error, I slightly changed the code from :

    except AuthenticationError:
        raise AnsibleError('Invalid credentials provided')

to

    except AuthenticationError as err:
        raise AnsibleError('Invalid credentials provided: ' + err.message)

Which results in :

$ AZURE_CLIENT_ID='xxx' AZURE_TENANT='yyy' AZURE_SECRET='zzz' ansible-playbook -i localhost, az_kv-secret.yml

PLAY [Play with Azure Key Vault] **********************************************************************************************************

TASK [Look up Azure Key Vault secret] **********************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure_keyvault_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Invalid credentials provided: , AdalError: Get Token request returned http error: 400 and server response: {\"error\":\"invalid_request\",\"error_description\":\"AADSTS90002: Tenant 'yyy' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\\r\\nTrace ID: e7929e78-7d1f-48de-a82c-dc8f1305a000\\r\\nCorrelation ID: f1e7867c-0f4d-4063-8185-c859aa6e1317\\r\\nTimestamp: 2020-05-26 12:29:37Z\",\"error_codes\":[90002],\"timestamp\":\"2020-05-26 12:29:37Z\",\"trace_id\":\"e7929e78-7d1f-48de-a82c-dc8f1305a000\",\"correlation_id\":\"f1e7867c-0f4d-4063-8185-c859aa6e1317\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}"}

PLAY RECAP **********************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

It seems to me from the error above that the wrong Azure cloud is queried.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@masterphenix