azure icon indicating copy to clipboard operation
azure copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

InvalidAuthenticationTokenAudience with AzureUSGovernment

Open dc-chris-smith opened this issue 2 years ago • 7 comments

SUMMARY

I am working on a role to allow department users to start and stop VMs in Azure when they are needed. I have worked through a number of issues that were not documented only to be presented with "the access token has been obtained for the wrong audience."

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure.azcollection.azure_rm_virtualmachine

ANSIBLE VERSION
ansible [core 2.12.3]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.12 (default, Sep 16 2021, 10:46:05) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
execution environment rebuilt weekly with all latest versions
CONFIGURATION
OS / ENVIRONMENT

AzureUSGovernment

STEPS TO REPRODUCE

I have a powered off VM in Azure and the configured playbook below. When I execute the playbook, it errors out with the error code pasted at the bottom.

A custom credential is used that provides the AZURE_CLIENT_ID and AZURE_SECRET values.

Extra vars yaml

role_name: power
vm_operation: start
vm_name: REDACTED
resource_group_name: REDACTED
subscription_id: REDACTED
tenant: REDACTED
cloud_environment: AzureUSGovernment

Playbook yaml to start the VM

- name: Start Azure VM
  azure.azcollection.azure_rm_virtualmachine:
    tenant: '{{ tenant }}'
    subscription_id: '{{ subscription_id }}'
    client_id: '{{ AZURE_CLIENT_ID }}'
    secret: '{{ AZURE_SECRET }}'
    cloud_environment: '{{ cloud_environment }}'
    resource_group: '{{ resource_group_name }}'
    name: '{{ vm_name }}'
    started: yes
  when: "vm_operation == 'start'"
EXPECTED RESULTS

The target VM would be started

ACTUAL RESULTS
The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.

dc-chris-smith avatar Sep 22 '22 23:09 dc-chris-smith

@dc-chris-smith Can you follow the Playbook execution with '-vvvv'? Detailed procedures will be printed to help solve the current problem. Thank you very much!

ansible-playbook **.yml -vvvvv

Fred-sun avatar Sep 23 '22 01:09 Fred-sun

@Fred-sun I am running Ansible Automation Platform, so this might not be exactly what you are looking for. I set the verbosity level to 4 and ran the job. This is what I get from module_stderror on the step that fails during execution.

Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1663930544.3437607-28-20356344217603/AnsiballZ_azure_rm_virtualmachine.py\", line 107, in <module>
    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1663930544.3437607-28-20356344217603/AnsiballZ_azure_rm_virtualmachine.py\", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/root/.ansible/tmp/ansible-tmp-1663930544.3437607-28-20356344217603/AnsiballZ_azure_rm_virtualmachine.py\", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualmachine', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualmachine', _modlib_path=modlib_path),
  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code
    exec(code, run_globals)
  File \"/tmp/ansible_azure.azcollection.azure_rm_virtualmachine_payload_k1zz16r2/ansible_azure.azcollection.azure_rm_virtualmachine_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualmachine.py\", line 2344, in <module>
  File \"/tmp/ansible_azure.azcollection.azure_rm_virtualmachine_payload_k1zz16r2/ansible_azure.azcollection.azure_rm_virtualmachine_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualmachine.py\", line 2340, in main
  File \"/tmp/ansible_azure.azcollection.azure_rm_virtualmachine_payload_k1zz16r2/ansible_azure.azcollection.azure_rm_virtualmachine_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualmachine.py\", line 963, in __init__
  File \"/tmp/ansible_azure.azcollection.azure_rm_virtualmachine_payload_k1zz16r2/ansible_azure.azcollection.azure_rm_virtualmachine_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 469, in __init__
  File \"/tmp/ansible_azure.azcollection.azure_rm_virtualmachine_payload_k1zz16r2/ansible_azure.azcollection.azure_rm_virtualmachine_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualmachine.py\", line 1114, in exec_module
  File \"/usr/local/lib/python3.8/site-packages/azure/core/tracing/decorator.py\", line 78, in wrapper_use_tracer
    return func(*args, **kwargs)\n  File \"/usr/local/lib/python3.8/site-packages/azure/mgmt/compute/v2021_04_01/operations/_virtual_machines_operations.py\", line 1506, in get
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File \"/usr/local/lib/python3.8/site-packages/azure/core/exceptions.py\", line 107, in map_error
    raise error\nazure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenAudience) The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.\nCode: InvalidAuthenticationTokenAudience
Message: The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.\

dc-chris-smith avatar Sep 23 '22 11:09 dc-chris-smith

Perhaps it was resolved with this? It looks like it's merged in but the latest releast does not seem to capture that.

https://github.com/ansible-collections/azure/pull/854

atsai1220 avatar Oct 05 '22 20:10 atsai1220

@atsai1220 Sorry for not releasing the new version recently, we will release it as soon as possible after the holiday. It will contain new change! Thank you very much!

Fred-sun avatar Oct 06 '22 00:10 Fred-sun

I am also seeing this same error when attempting to get subnet information on AzureUSGovernment with the azure_rm_subnet_info module. My tenant, secret, cloud_environment, etc are all set up in the same fashion as the original poster. Will this change resolve this error as well? Is there an eta for when the new version will come out that contains these changes?

kristinaEliz avatar Oct 12 '22 19:10 kristinaEliz

I believe this has been merged and released now can anyone verify this is still an issue or is it resolved?

Thanks

p3ck avatar Mar 20 '24 16:03 p3ck

@p3ck Maybe it should have been fixed in #1299, can you update to the latest version and try again? Thank you!

Fred-sun avatar Mar 21 '24 06:03 Fred-sun