Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems using OIDC: "building client: unable to obtain access token: githubAssertion" #820

Closed
sigurdfalk opened this issue Jun 10, 2022 · 3 comments · Fixed by #822
Closed

Problems using OIDC: "building client: unable to obtain access token: githubAssertion" #820

sigurdfalk opened this issue Jun 10, 2022 · 3 comments · Fixed by #822
Milestone
v2.24.0

Comments

@sigurdfalk
Copy link

sigurdfalk commented Jun 10, 2022
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform: 1.2.2
AzureAD provider: 2.23.0

Terraform Configuration Files

terraform {
  required_version = ">= 1.2"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.10.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.23.0"
    }
  }

  backend "azurerm" {
    resource_group_name  = "xxx"
    storage_account_name = "xxx"
    container_name       = "xxx"
    key                  = "xxx"
    subscription_id      = "xxx"
  }
}

provider "azurerm" {
  features {}
}

Expected Behavior

AzureAD Provider should be able to access Azure with OIDC

Actual Behavior

The provider produces the following output in GitHub Actions:

╷
│Error: Invalid provider configuration
│
│Provider "registry.terraform.io/hashicorp/azuread" requires explicit
│configuration. Add a provider block to the root module and configure the
│provider's required arguments as described in the provider documentation.
│
╵
╷
│Error: building client: unable to obtain access token: githubAssertion: cannot request token: Get "***": unsupported protocol scheme ""
│
│  with provider["registry.terraform.io/hashicorp/azuread"],
│  on <empty> line 0:
│  (source code not available)
│
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Steps to Reproduce

We use a GitHub Actions reusable workflow that looks like this:

on:
  workflow_call:
    inputs:
      working_directory:
        required: true
        type: string
      tf_log_level:
        default: ''
        required: false
        type: string
      tf_version:
        default: latest
        required: false
        type: string
      tf_wrapper:
        default: true
        required: false
        type: boolean
    secrets:
      azure_tenant_id:
        required: true
      azure_subscription_id:
        required: true
      azure_client_id:
        required: true
      terraform_init_args:
        required: false
      terraform_plan_args:
        required: false

env:
  ARM_TENANT_ID: ${{ secrets.azure_tenant_id }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.azure_subscription_id }}
  ARM_CLIENT_ID: ${{ secrets.azure_client_id }}
  ARM_USE_OIDC: true
  TF_LOG: ${{ inputs.tf_log_level }}

permissions:
  id-token: write
  actions: read
  contents: read
  security-events: write

jobs:
  plan:
    name: Plan
    runs-on:
      - self-hosted
      - iac
    environment: test

    steps:
      - name: Git checkout
        uses: actions/checkout@v2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
          terraform_version: ${{ inputs.tf_version }}
          terraform_wrapper: ${{ inputs.tf_wrapper }}

      - name: Terraform Init
        id: init
        working-directory: ${{ inputs.working_directory }}
        env:
          TF_CLI_ARGS_init: ${{ secrets.terraform_init_args }}
        run: |
          terraform init

      - name: Terraform Validate
        id: validate
        working-directory: ${{ inputs.working_directory }}
        run: terraform validate

      - name: Terraform Plan
        id: plan
        working-directory: ${{ inputs.working_directory }}
        env:
          TF_CLI_ARGS_plan: ${{ secrets.terraform_plan_args }}
        run: terraform plan -out=tfplan-${{ github.sha }} -input=false

      - name: Upload generated plan file
        uses: actions/upload-artifact@v2
        with:
          name: tfplan
          path: ${{ inputs.working_directory }}/tfplan-${{ github.sha }}

  apply:
    name: Apply
    needs:
      - plan
    runs-on:
      - self-hosted
      - iac
    environment: test

    steps:
      - name: Git checkout
        uses: actions/checkout@v2

      - name: Download generated plan file
        uses: actions/download-artifact@v2
        with:
          name: tfplan
          path: ${{ inputs.working_directory }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
          terraform_version: ${{ inputs.tf_version }}

      - name: Terraform Init
        id: init
        working-directory: ${{ inputs.working_directory }}
        env:
          TF_CLI_ARGS_init: ${{ secrets.terraform_init_args }}
        run: |
          terraform init

      - name: Terraform Apply
        id: apply
        working-directory: ${{ inputs.working_directory }}
        run: terraform apply tfplan-${{ github.sha }}

Important Factoids

Using OIDC with the AzureRM Provider is working just fine.

Tried adding a empty provider block like this:

provider "azuread" {}

That removes the error saying "Provider requires explicit configuration", but not the one for "unable to obtain access token".

Also tried adding:

provider "azuread" {
  features {}
}

Then the workflow fails at terraform validation saying the "features" block is not expected.
@etiennetremel
Copy link

@SudoSpartanDan since you worked on both implementations for azuread (#805) and azurerm (hashicorp/terraform-provider-azurerm#16555), would you know what could be wrong in this config? azurerm does work as expected for me.

sivapalan added a commit to sivapalan/terraform-provider-azuread that referenced this issue Jun 12, 2022
@sivapalan
Bugfix: set correct values for IDTokenRequestURL and IDTokenRequestToken
dbb25c0 
Fixes hashicorp#820
@sivapalan sivapalan mentioned this issue Jun 12, 2022
Merged
@manicminer manicminer added this to the v2.24.0 milestone Jun 21, 2022
@github-actions
Copy link

This functionality has been released in v2.24.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.24.0
3 participants
@manicminer @sigurdfalk @etiennetremel