Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_keyvault_secret lookup does not work with USGovCloud #1200

Closed
merillr opened this issue Jun 27, 2023 · 3 comments · Fixed by #1517
Closed

azure_keyvault_secret lookup does not work with USGovCloud #1200

merillr opened this issue Jun 27, 2023 · 3 comments · Fixed by #1517
Labels
bug Something isn't working has_pr PR fixes have been made medium_priority Medium priority

Comments

@merillr
Copy link

merillr commented Jun 27, 2023

SUMMARY

The azure_keyvault_secret lookup does not work with USGovCloud, presumably because the resource url is hard-coded to https://vault.azure.net.

azure/plugins/lookup/azure_keyvault_secret.py

Line 132 in 5916552

'resource': 'https://vault.azure.net'

After manually modifying this to https://vault.usgovcloudapi.net, my lookup works.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure_keyvault_secret

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/net_home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /net_home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Jun  6 2023, 07:39:01) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /net_home/ansible/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.16.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT

RHEL8 VM in Azure USGovCloud (USGovVirginia)

STEPS TO REPRODUCE
    - name: Look up secret when ansible host is MSI enabled Azure VM
      debug:
        msg: "the value of this secret is {{
            lookup(
              'azure.azcollection.azure_keyvault_secret',
              'mysecret',
              vault_url='https://<vaultname>.vault.usgovcloudapi.net'
            )
            }}"
EXPECTED RESULTS
ok: [localhost] =>
  msg: the value of this secret is myvalue
ACTUAL RESULTS
fatal: [localhost]: FAILED! =>
  msg: 'An unhandled exception occurred while running the lookup plugin ''azure.azcollection.azure_keyvault_secret''. Error was a <class ''ansible.errors.AnsibleError''>, original message: Failed to fetch secret mysecret.. Failed to fetch secret mysecret.'
@arsovski-ahnl
Copy link

I have this issue myself, did you mange to resolve it?

@merillr
Copy link
Author

merillr commented Oct 6, 2023

The only workaround I have is to modify the hardcoded value. I set this to https://vault.usgovcloudapi.net

azure/plugins/lookup/azure_keyvault_secret.py

Line 136 in 5b058c2

'resource': 'https://vault.azure.net'

@Fred-sun Fred-sun mentioned this issue Mar 27, 2024
Merged
@Fred-sun
Copy link
Collaborator

@merillr Add the parameter cloud_type in PR #1517 to specify which cloud we are working in. Thank you!

@Fred-sun Fred-sun added bug Something isn't working has_pr PR fixes have been made medium_priority Medium priority labels Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has_pr PR fixes have been made medium_priority Medium priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add parameter 'cloud_type' to azure_keyvault_secret.py Fred-sun/ansible_collections_azure
3 participants
@Fred-sun @merillr @arsovski-ahnl