azure_rm_adapplication - Access Token missing or malformed

[watsonb]

SUMMARY

I'm trying to create/update an Azure AD application registration using the new azure_rm_adapplication module and am receiving an error: Access Token missing or malformed

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_adapplication

ANSIBLE VERSION

ansible 2.9.12

COLLECTION VERSION

1.7.0

CONFIGURATION

HOST_KEY_CHECKING(/home/ben/workspace/kiewit/ansible/playbooks/ap_azure/ansible.cfg) = False

OS / ENVIRONMENT

Control OS / Environment: Ubuntu 20.04 with Python 3 virtual environment. Ansible and all relevant Azure pip modules installed.

STEPS TO REPRODUCE

- name: AZURE_RM_ADAPPLIATION | Initially create server-side app reg
  azure_rm_adapplication:
    ad_user: "{{ azure_ad_user }}"
    cloud_environment: "AzureCloud"
    password: "{{ azure_ad_password }}"
    subscription_id: "{{ azure_subscription_id }}"
    tenant: "{{ azure_tenant }}"
    display_name: "{{ azure_app_reg_name }}"  # set in tasks/set_app_reg_facts.yml
    state: "{{ azure_adapp_server_state | default('present') }}"
  register: azure_adapp_server_info

- name: DEBUG | azure_adapp_server_info
  debug:
    var: azure_adapp_server_info
    verbosity: 0

EXPECTED RESULTS

App Registration matching display_name is present via Azure AD in Azure Portal

ACTUAL RESULTS

The full traceback is:
  File "/tmp/ansible_azure_rm_adapplication_payload_psg0x3yb/ansible_azure_rm_adapplication_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_adapplication.py", line 500, in create_resource
  File "/home/ben/venv3_ansible-2.9.12/lib/python3.8/site-packages/azure/graphrbac/operations/applications_operations.py", line 86, in create
    raise models.GraphErrorException(self._deserialize, response)
fatal: [localhost]: FAILED! => changed=false 
  invocation:
    module_args:
      ad_user: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      adfs_authority_url: null
      allow_guests_sign_in: null
      api_profile: latest
      app_id: null
      app_roles: null
      auth_source: auto
      available_to_other_tenants: null
      cert_validation_mode: validate
      client_id: null
      cloud_environment: AzureCloud
      credential_description: null
      display_name: api-lab-scus-iac-tst
      end_date: null
      homepage: null
      identifier_uris: null
      key_type: AsymmetricX509Cert
      key_usage: Verify
      key_value: null
      log_mode: null
      log_path: null
      native_app: null
      oauth2_allow_implicit_flow: null
      optional_claims: null
      password: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      profile: null
      reply_urls: null
      required_resource_accesses: null
      secret: null
      start_date: null
      state: present
      subscription_id: dd59b5e3-c62d-47cb-a1ba-965ea8ff2a7e
      tenant: 07420c3d-c141-4c67-b6f3-f448e5adb67b
  msg: Error creating application, display_name api-lab-scus-iac-tst - Access Token missing or malformed.

Is this possibly related to #573 or #575

[Fred-sun]

@watsonb Thank you for submitting this question. Judging from your error log, it should be caused by the permission of your account. Could you please confirm your account authorization? Thank you very much!

[watsonb]

The account being used is a Global Administrator.

[Fred-sun]

@watsonb Can you set "auth_source: cli" in the playbook to retry? The current 'ad' related modules only support CLI Credentials (az login). Thank you very much!

[watsonb]

@Fred-sun I'll give it a try soon.

[radhikari-arch]

@watsonb @Fred-sun Is this still an issue that we need to use the auth-source: cli?Have anyone had luck to work with auth-source: msi? The docs clearly says msi as auth source.

[Fred-sun]

@radhikari-arch @radhikari-arch It has support mscrosoft gaph in PR #1112, The MS graph api will suport this fuction Please review! Thank you very much!

[Fred-sun]

@watsonb @watsonb Please try lastest azure.azcollections. It has support all authentication method. Thank you very much!