azure_preview_modules icon indicating copy to clipboard operation
azure_preview_modules copied to clipboard

Published 20 hours ago verified publisher icon Azure

Lookup not working on AzureChinaCloud

Open masterphenix opened this issue 4 years ago • 0 comments

Hello, I tried using this lookup on a Vault created on AzureChinaCloud, but it fails with error "Invalid credentials provided".

Playbook :

- name: "Play with Azure Key Vault"
  connection: local
  hosts: localhost
  gather_facts: false
    
  tasks:
  - name: Look up Azure Key Vault secret
    vars:
      url: 'https://mytestvault.vault.azure.cn'
      secretname: 'mysecret'
      client_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
      secret: "{{ lookup('env','AZURE_SECRET') }}"
      tenant: "{{ lookup('env','AZURE_TENANT') }}"
    debug: msg="secret: {{ lookup('azure_keyvault_secret', secretname,vault_url=url, client_id=client_id, secret=secret, tenant_id=tenant) }}"

In order to pinpoint the root cause of this error, I slightly changed the code from :

    except AuthenticationError:
        raise AnsibleError('Invalid credentials provided')

to

    except AuthenticationError as err:
        raise AnsibleError('Invalid credentials provided: ' + err.message)

Which results in :

$ AZURE_CLIENT_ID='xxx' AZURE_TENANT='yyy' AZURE_SECRET='zzz' ansible-playbook -i localhost, az_kv-secret.yml

PLAY [Play with Azure Key Vault] **********************************************************************************************************

TASK [Look up Azure Key Vault secret] **********************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure_keyvault_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Invalid credentials provided: , AdalError: Get Token request returned http error: 400 and server response: {\"error\":\"invalid_request\",\"error_description\":\"AADSTS90002: Tenant 'yyy' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\\r\\nTrace ID: e7929e78-7d1f-48de-a82c-dc8f1305a000\\r\\nCorrelation ID: f1e7867c-0f4d-4063-8185-c859aa6e1317\\r\\nTimestamp: 2020-05-26 12:29:37Z\",\"error_codes\":[90002],\"timestamp\":\"2020-05-26 12:29:37Z\",\"trace_id\":\"e7929e78-7d1f-48de-a82c-dc8f1305a000\",\"correlation_id\":\"f1e7867c-0f4d-4063-8185-c859aa6e1317\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}"}

PLAY RECAP **********************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

It seems to me from the error above that the wrong Azure cloud is queried.

masterphenix avatar May 26 '20 12:05 masterphenix