Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure secrets engine role creation with existing service principal - terraform - Error 401 #156

Open
gonzalo-diaz-uria opened this issue Jul 11, 2023 · 0 comments

Comments

@gonzalo-diaz-uria
Copy link

Good evening folks!
I have a problem when trying to enable this secrets engine and creating a role using an already existing service principal.
I am creating a role using the terraform vault provider (vault_azure_secret_backend_role), the service principal which Im using to configure the secret backend has the proper permissions, like application.readwrite.all and the group one.
When trying to create the role using this backend, Im getting the following error.

This is the resource Im using

resource "vault_azure_secret _backend role" "azure_apps_roles" {
namespace = var. namespace
backend = var .azure secrets engine path
role = var.role_name
application_object_ id = var.spn_object_id
ttl = 300
max_ttl = 600
}

And the is the error Im getting

* error loading Application: azure. BearerAuthorizer#withAuthorization: Failed to refresh the Token for request to https:/graph.microsoft.com/v1.0/applications/<existing-spn>: StatusCode-401 --Original Error: adal: Refresh request failed. Status Code = '401°. Response body: {"error"; "invalid client", "error_descrip tion": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<backend spn id>'. \r\nTrace ID: <backend spn id>'\r \nCorrelation ID: 61e1a24c-b6a2-4869 -a34c-25441e407135 \r \nTimestamp: 2023-07-1 1 20:52:01Z"
"error codes": [7000215], "timestamp": "2023-07-11 20:52:01Z"
"trace id": "le0a4e2d-e68e-4953-9c24-8f4c6a1d0100",
'correlation id": "61e1a24c-b6a2-4869-a34C-25441e407
135"
"error_uri": "https://login.microsoftonline.com/error?code=7000215" } Endpoint https://login.microsoftonline.com/<my tenant id>/oauth2/token?api-ver
sion=1.0

I already tested this with several client secrets for my "parent" service principal, and also tried it directly with the vault CLI, same error.

I wanna know if there is anything else I need to setup other than the permissions on the parent service principal.

Permission Name Type
Application.ReadWrite.All Application
Group.ReadWrite.All Application
Role Scope Security Principal
Owner Subscription . Service Principal ID given in configuration

My Vault version is 1.13.0
My TF vault provider version is 3.12.0

Any help will be greatly appreciated!
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant