Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra application uses description rather than name of SHM #2242

Closed
5 tasks done
craddm opened this issue Oct 18, 2024 · 0 comments · Fixed by #2243
Closed
5 tasks done

Entra application uses description rather than name of SHM #2242

craddm opened this issue Oct 18, 2024 · 0 comments · Fixed by #2243
Assignees
@craddm
Labels
bug Problem when deploying a Data Safe Haven.

Comments

@craddm
Copy link
Contributor

craddm commented Oct 18, 2024
edited
Loading

✅ Checklist

  • I have searched open and closed issues for duplicates.
  • This is a problem observed when deploying a Data Safe Haven.
  • I can reproduce this with the latest version.
  • I have read through the documentation.
  • This isn't an open-ended question (open a discussion if it is).

💻 System information

  • Operating System: debian Bookworm
  • Data Safe Haven version: develop

📦 Packages

List of packages 
Paste list of packages here

🚫 Describe the problem

When deploying the SHM, an Entra application is created. The name of that application uses the description field of the context, rather than the name. This means if somebody (e.g. somebody other than the original creator) tries to redeploy the SHM but doesn't match the description precisely, it creates a new application. Subsequently deploying an SRE fails (with a long and horrifying Python event loop is closed error) which seems to be because there's a mismatch between the expected client secret and the credentials of the new application (see below).

The application could be avoided by using the name of the SHM/context. Otherwise entra apps might proliferate if different admins describe contexts differently.

🌳 Log messages

Relevant log messages

In this image, two of the applications - gitea testing and stuff are from the same SHM, but with different descriptions in the context.

image

    azuread:index:Group sre_entra_group_privileged_user_group_name  error: 1 error occurred:
    azuread:index:Group sre_entra_group_privileged_user_group_name **failed** 1 error
Diagnostics:
  azuread:index:Group (sre_entra_group_privileged_user_group_name):
    error: 1 error occurred:
        * building client: unable to obtain access token: clientCredentialsToken: received HTTP status 401 with response:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client
secret value, not the client secret ID, for a secret added to app '2b4bed0c-1c4d-4b3a-b18a-078a8ac337a5'. Trace ID: e72597b3-e195-4d06-8432-ecba191e3100
Correlation ID: 48dad7cd-a0e2-4b74-971f-08d060d312c1 Timestamp: 2024-10-18 10:52:07Z","error_codes":[7000215],"timestamp":"2024-10-18
10:52:07Z","trace_id":"e72597b3-e195-4d06-8432-ecba191e3100","correlation_id":"48dad7cd-a0e2-4b74-971f-08d060d312c1","error_uri":"https://login.microsofto
nline.com/error?code=7000215"}

♻️ To reproduce

Deploy an SHM, then update the context with a new description, redeploy it, and try to deploy an SRE.
@craddm craddm added the bug Problem when deploying a Data Safe Haven. label Oct 18, 2024
@craddm craddm self-assigned this Oct 18, 2024
@craddm craddm mentioned this issue Oct 18, 2024
Merged
3 tasks
@craddm craddm closed this as completed Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@craddm craddm

Labels
bug Problem when deploying a Data Safe Haven.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use SHM name instead of description for Entra app craddm/data-safe-haven
1 participant
@craddm