-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure CLI: refreshing the token fails #22
Comments
FWIW this is reliably reproducible when building VM Scale Sets. It fails a few seconds past the 58m31s mark every time I run the plan I'm currently working on.
|
Happening to me as well every time I create a VM with attached disks Is there a provided version downgrade that could help? Currently using 1.22 |
I get this error while trying to create an AKS cluster using azurerm_kubernetes_cluster. |
I get this error while trying to add an azure virtual machine extension for my VMs. I am adding the Microsoft's Azure Active Directory Linux SSH to allow users on the azure portal to access the VMs I create with Terraform. Details of the extension are:- resource "azurerm_virtual_machine_extension" "AADLogin" {
...
publisher = "Microsoft.Azure.ActiveDirectory.LinuxSSH"
type = "AADLoginForLinux"
type_handler_version = "1.0"
} Versions: Terraform: v0.11.11 |
Thanks very much for the release of 0.5.0 provider has some useful feature for stack. However, im getting this issue when running terraform plan against 1811 release of stack, the stack will be updated but i dont think thats the problem. terraform validate passes - ok. terraform - v0.11.13 Error
This is stopping us using terraform all together. |
Update to above i have tried all methods of authentication now, terraform validate passes - ok. terraform - v0.11.13 Error
This is stopping us using terraform all together. Using the Azure CLI by itself works, but it cant seem to integrate with terrafom. so sounds like an underlying library problem for the token service. |
I'm running into this issue as well, during both provisioning and destruction. Retrying the operation usually works, but it is troublesome. |
Also seeing this problem with Virtual Network Gateway creation after 50 minutes or so:
@tombuildsstuff - I know you guys are super busy and we are totally appreciative of the hard work, but any chance there is an ETA on when this will be resolved? |
I'm getting this error:
When trying to create an AKS cluster using azurerm_kubernetes_cluster. Terraform v0.11.7 provider.azurerm v1.20 and v1.24. This is using a service principal which works perfectly via the azure cli. |
managed to modify the azure adal library to resolve my issue, it is using the tenantid in the request for a token, but with adfs you need to replace the tenantid with "adfs" to hit the correct endpoint |
@obikay200 oh interesting, is that just for ADFS/disconnected Azure Stack? |
@CptQuint unfortunately Terraform doesn't support using a Service Principal with the Azure CLI - you can either use the Azure CLI as a user or the Service Principal via credentials (either specified as Environment Variables/in-line) - but unfortunately the Azure CLI doesn't expose all of the information we need when using a Service Principal. |
yeah it seem so because i presume you developed against an SDK stack that does have AD. disconnected only has ADFS, so the underlying adal azure library had to be changed to not provide the tenantid in the request. unless microsoft decide to change the stack api of course.. which is a possiblity! so i was thinking maybe you guys could have another label in the provider block that defines ADFS true or false maybe that could call a different function in adal during the authentication, or something similar that you know of a better way.. or connected / disconnected |
Sorry, yes this is what I'm doing. I'm passing service provider credentials via a .tfvars file (one per workspace), I just meant these credentials work fine via the azure CLI. This setup had been working perfectly the last time I used it around December time. |
This comment has been minimized.
This comment has been minimized.
Is this a bug in the upstream go-autorest library? They throw this error if the type matches ServicePrincipalNoSecret, but they pass the ServicePrincipalNoSecret type when setting up the credential: https://github.com/Azure/go-autorest/blob/da8db3a19ec5aba5d01f6032407abf1bb1cc15d3/autorest/adal/token.go#L465 maybe the check should be whether refresh_token is actually present, instead of whether the type is ServicePrincipalNoSecret? |
I had the same problem. A workaround which fix my problem was to relogin with the cli:
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
So here's the spot in the upstream repo where that exact error message is coming from: https://github.com/Azure/go-autorest/blob/2913f263500c4a5b23dada1b46ccd22ac972315f/autorest/adal/token.go#L173
I opened an issue in the upstream go-autorest repo asking whether this is a bug on their side, since contrary to the error message, there is a refresh token available to retrieve a new access token. In the meantime: I looked at how go-autorest authenticates with cli credentials, and it's very similar except they skip the step of creating a ServicePrincipalToken from the adalToken. Since this error seems to come from the code brought in by NewServicePrincipalTokenFromManualToken (and from there, ServicePrincipalNoSecret) maybe dropping that NewServicePrincipalToken[...] step would work as a fix to this issue. Here's a link to the similar cli auth helper in go-autorest: I'm not sure if there's code to auto refresh the token outside of the ServicePrincipalToken flow though, so maybe that's why this extra step was introduced to terraform? If that's the case, maybe there's a way to override the token type or the callback to avoid that code path in go-autorest, but still get the benefits of auto refreshing tokens? |
One of the go-autorest devs responded and pointed out that terraform isn't receiving the refreshToken when looking up the accessToken via the Maybe the fix here is to look up the refreshToken after obtaining the accessToken, and make sure that gets set in the token before creating the ServicePrincipalToken? |
Any update on this? Seeing the same issue with an AKS deployment |
Also getting this on long running operations like creating/deleting AKS cluster: |
I think at this point we just need someone to write up code to read the refreshToken from |
@mikhailshilkov #39 looks good to me. Might need @tombuildsstuff to take a look at it too ^ |
I am not sure how this repo works. But why is this issue closed?.. getting the issue for long running modules like APIM and WAF. Any advise how to resolve? |
btw, this looks fixed: hashicorp/terraform-provider-azurerm#2602 (comment) |
@tenseiga I was having the same issue until I upgraded all of the providers I was using that do anything with Azure (in my case azurerm and azuread). It's up to the consuming plugins such as azurerm to upgrade the helpers library that they depend on. The issue has been fixed in this repo and so this issue is closed, but other issues elsewhere may be closed as well or still open. I believe that version 1.37.0 of azurerm includes the fixes which closed this issue, so perhaps give that provider version a try and see whether it solves the token refresh issue. |
We upgraded to 1.44.0 version of azurerm and now I'm seeing this problem first time. Anyone else experiencing this? this is what I have now:
|
Same for me. |
I figured out what was the cause in my case:
|
Same problem when I try to create a databricks cluster.
Environment:
|
before going too deep in a rabbit hole. do this |
This is not something I would be doing with using Azure DevOps YAML pipelines, so there has to be more to this. I'm getting this creating a Resource Group. |
Locking since this issue is 2.5 years old - but feel free to ask questions in the Community Discuss forum where someone should be able to take a look. Thanks! |
Community Note
Porting this over from hashicorp/terraform-provider-azurerm#2602 where it was originally reported by @btai24 and @torumakabe:
The text was updated successfully, but these errors were encountered: