Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_keyvault_secret lookup might be broken #1777

Open
pat-s opened this issue Dec 4, 2024 · 5 comments
Open

azure_keyvault_secret lookup might be broken #1777

pat-s opened this issue Dec 4, 2024 · 5 comments
Labels
medium_priority Medium priority question Further information is requested work in In trying to solve, or in working with contributors

Comments

@pat-s
Copy link

pat-s commented Dec 4, 2024

SUMMARY

lookup('azure.azcollection.azure_keyvault_secret' doesn't seem to work, no matter the auth method.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.18.1]
COLLECTION VERSION
3.1.0
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE

Tried to authenticate via az login, via explicit credentials (client_id, secret, tenant_id`) or env vars. All fail. Each of them with slighltly different methods

lookup('azure.azcollection.azure_keyvault_secret', 'secret', vault_url='<vault url>')

lookup('azure.azcollection.azure_keyvault_secret', 'secret', client_id='<client_id>',tenant_id='<tenant_id>',secret='<secret>',vault_url='<vault url>')

Yes, I can query secrets in the respective key vault and the credentials are correct.
I am Key vault admin and the credentials are used in other automation workflows.

EXPECTED RESULTS

Authentication works and secrets are returned.

ACTUAL RESULTS
# env var auth
FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'NameError'>, original message: name 'DefaultAzureCredential' is not defined. name 'DefaultAzureCredential' is not defined"}

# keyword auth
FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'NameError'>, original message: name 'ClientSecretCredential' is not defined. name 'ClientSecretCredential' is not defined"}
@Fred-sun Fred-sun added the work in In trying to solve, or in working with contributors label Dec 9, 2024
@kandrew5
Copy link

kandrew5 commented Dec 9, 2024

I facing the same problem

@olljanat
Copy link
Contributor

FYI, I ended up to this issue because having two versions of azure.azcollection installed and had installed requirements from old one.

You can easily check if that is the case in your environment with command ansible-galaxy collection list

@pat-s
Copy link
Author

pat-s commented Dec 20, 2024

So, what are the problematic downstream dependencies then which need to be updated? Didn't have a change yet to test again but will do again soonish.

@Fred-sun
Copy link
Collaborator

@pat-s @olljanat According to the error, the 'DefaultAzureCredential' and 'ClientSecretCredential' was not imported successfully, Can you check whether ‘azure-identity'’ is installed in your environment? Thank you very much!

@Fred-sun Fred-sun added question Further information is requested medium_priority Medium priority labels Dec 23, 2024
@misterpoulet
Copy link

I also hit this problem, and I think there's something wrong with how TOKEN_ACQUIRED is set.

I'm using a service principle, not MSI, and yet the lookup insists on using MSI authentication.

PLAY [test_az_keyvault] ********************************************************
Friday 10 January 2025  19:20:57 +0000 (0:00:00.020)       0:00:00.020 ******** 
exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/lookup/azure_keyvault_secret.py", line 212, in run
    ret.append(secret_res.json()["value"])
KeyError: 'value'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 865, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
  File "/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/lookup/azure_keyvault_secret.py", line 214, in run
    raise AnsibleError('Failed to fetch secret ' + term + '.')
ansible.errors.AnsibleError: Failed to fetch secret mykey-key1.

TASK [Displaying the result of the keyvault_keys] ******************************
task path: /etc/ansible/tooling-ansible/test_az_keyvault.yml:23
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed to fetch secret mykey-key1.. Failed to fetch secret mykey-key1."
}

PLAY RECAP *********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
Friday 10 January 2025  19:20:58 +0000 (0:00:00.812)       0:00:00.832 ******** 
=============================================================================== 
Displaying the result of the keyvault_keys ------------------------------ 0.81s

I was able to solve this problem by specifying use_msi=false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
medium_priority Medium priority question Further information is requested work in In trying to solve, or in working with contributors
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@olljanat @pat-s @Fred-sun @kandrew5 @misterpoulet