search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.58k stars 2.8k forks source link

400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.ContainerService/managedClusters/<clusterName>/resetServicePrincipalProfile #9420

Closed mathieugravil closed 4 years ago

mathieugravil commented 4 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Create aks cluster with RBAC.
  2. I try to create function to do reset key for spn cluster and rbac server : 
from azure.mgmt.containerservice  import ContainerServiceClient
from azure.graphrbac import GraphRbacManagementClient
from az_k8s_operations import spn 

def rotateKeysForK8sCluster( azure_credential,graph_credentials,TENANT_ID, subscription,resource_group_name,cluster_name,nbDays):
    """ Rotate spn key of cluster and spn key for server rbac spn
        Update kv infra in rg
        Update service connection of linked azure devops project"""

    print("==Start of rotateKeysForK8sCluster")
    graphrbac_client = GraphRbacManagementClient(graph_credentials, TENANT_ID)
    K8sClient = ContainerServiceClient(azure_credential,subscription)
    cluster = K8sClient.managed_clusters.get(resource_group_name,cluster_name)
    print("Cluster: "+str(cluster.service_principal_profile))
    #listKeys = graphrbac_client.applications.list_password_credentials(spn.getObjectIdFromAppId(TENANT_ID,graph_credentials,cluster.service_principal_profile.client_id ))
    newKeyValueCluster = spn.update_password_key(graph_credentials,TENANT_ID,
             spn.getObjectIdFromAppId(TENANT_ID,graph_credentials,cluster.service_principal_profile.client_id ), nbDays,'Cluster',"create")
    print("We reset service principale of  K8s cluster")
    try:
        K8sClient.managed_clusters.reset_service_principal_profile(resource_group_name, cluster_name, 
            cluster.service_principal_profile.client_id, secret=newKeyValueCluster)
        print("Reset sp of K8s : : OK")
    except Exception as e:
        print("WARNING: "+str(e))
    if cluster.aad_profile:
    # listKeys = graphrbac_client.applications.list_password_credentials(spn.getObjectIdFromAppId(TENANT_ID,graph_credentials,cluster.aad_profile.server_app_id ))
     newKeyValueServer = spn.update_password_key(graph_credentials,TENANT_ID,
              spn.getObjectIdFromAppId(TENANT_ID,graph_credentials,cluster.aad_profile.server_app_id ), nbDays,'rbacServer',"create")
     print("We reset aad profile of  K8s cluster")
     parameters = cluster.aad_profile
     parameters.server_app_secret = newKeyValueServer
     print("RBAC_server: "+str(parameters))
     try:
         K8sClient.managed_clusters.reset_aad_profile(resource_group_name, cluster_name,parameters) 
         print("Reset aad profile of K8s : : OK")
     except Exception as e:
        print("WARNING: "+str(e))

    print("==End of rotateKeysForK8sCluster")

My test function : 

from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient
from az_k8s_operations import maintenance as mn
import credential

TENANT_ID = credential.TENANT_ID
CLIENT = credential.CLIENT
KEY = credential.KEY
subscription = '47ea923d-bbfb-4cae-a53b-6ae79b0d836f'
resource_group_name = 'RG-TOTAL-POC-WE-APIMGT'
cluster_name = 'APIMGT-POC-AKS'
nbDays = 110

def main():
 azure_credential = ServicePrincipalCredentials(
     client_id = CLIENT,
     secret = KEY,
     tenant = TENANT_ID
  )
 graph_credentials = ServicePrincipalCredentials(client_id = CLIENT,secret = KEY,tenant = TENANT_ID,resource = 'https://graph.windows.net')
 mn.rotateKeysForK8sCluster( azure_credential,graph_credentials, TENANT_ID, subscription,resource_group_name,cluster_name,nbDays)

if __name__ == "__main__":
    main()

And it failed : 

(venv) 0a9650b3e32b:~/dev/Operations$ python tests/test_maintenance.py 
==Start of rotateKeysForK8sCluster
Cluster: {'additional_properties': {}, 'client_id': '7b64e0f5-dff9-4221-beac-44e1321b875e', 'secret': None}
we create Cluster20200113090103
We reset service principale of  K8s cluster
WARNING: 400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/47ea923d-bbfb-4cae-a53b-6ae79b0d836f/resourceGroups/RG-TOTAL-POC-WE-APIMGT/providers/Microsoft.ContainerService/managedClusters/APIMGT-POC-AKS/resetServicePrincipalProfile?api-version=2019-11-01
we create rbacServer20200113090106
We reset aad profile of  K8s cluster
RBAC_server: {'additional_properties': {}, 'client_app_id': '5311ddeb-9e75-48b4-940b-759a972df3de', 'server_app_id': 'b0171926-039c-4ff4-b679-df3092778be8', 'server_app_secret': '#=fsdfsdfsdf', 'tenant_id': 'cc251925-4d3d-43c3-808e-774f6ff0366b'}
WARNING: 400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/47ea923d-bbfb-4cae-a53b-6ae79b0d836f/resourceGroups/RG-TOTAL-POC-WE-APIMGT/providers/Microsoft.ContainerService/managedClusters/APIMGT-POC-AKS/resetAADProfile?api-version=2019-11-01
==End of rotateKeysForK8sCluster

Expected behavior I expect it reset spn of cluster and aad profile .

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

ghost commented 4 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm

jluk commented 4 years ago

@sauryadas anyone who can look at this key rotation issue from python SDK?

sauryadas commented 4 years ago

@zikalino @andyzhangx would you guys know?

mathieugravil commented 4 years ago

@zikalino do you need more informations on this issue?

andyzhangx commented 4 years ago

@mathieugravil have you tried azure cli az aks update-credentials --reset-service-principal ...? does it work?

And you could refer to this for your code: https://github.com/Azure/azure-cli/blob/master/src/azure-cli/azure/cli/command_modules/acs/custom.py#L1907

mathieugravil commented 4 years ago

@andyzhangx , I will try. I will keep you inform. Thanks

mathieugravil commented 4 years ago

Hello @andyzhangx Sorry for the delay. Please find the test result : `$ az --version azure-cli 2.0.76 *

command-modules-nspkg 2.0.3 core 2.0.76 * nspkg 3.0.4 telemetry 1.0.4

Python location '/usr/bin/python' Extensions directory '/home/1V14713/.azure/cliextensions'

Python (Linux) 3.6.9 (default, Oct 17 2019, 11:10:22) [GCC 8.3.0]

Legal docs and information: aka.ms/AzureCliLegal

You have 2 updates available. Consider updating your CLI installation. $ az aks update-credentials -g rg-total-poc-we-apimgt -n APIMGT-POC-AKS --subscription "TOTAL DIVERS" --reset-service-principal --service-principal 7b64e0f5-dff9-4221-beac-44e1321b875e --client-secret 'LD6hpg7G7h@S9of=.:PkY@3BvDXkb@0h'

`

mathieugravil commented 4 years ago

@andyzhangx any ideas?

mathieugravil commented 4 years ago

@andyzhangx , I have mdea some complementary test: and it seems that the trouble is linked to the secret value/type: this works : 

test = '2ZxeCDEHYddXAVtfyyLb9XEvTB1TwGeJ'
    try:
        K8sClient.managed_clusters.reset_service_principal_profile(resource_group_name, cluster_name, cluster.service_principal_profile.client_id,test)

but this not: 

test = str(newKeyValueCluster)
    try:
        K8sClient.managed_clusters.reset_service_principal_profile(resource_group_name, cluster_name, cluster.service_principal_profile.client_id,test)

in newKeyValueCluster is a string I have generated from function... Any idea?

mathieugravil commented 4 years ago

Hello @andyzhangx ,

My collegue find where is the trouble!!! In fact, first i create a new password key and after i use it to reset in cluster. It seems that i need to wait some time between the 2 actions whereas it failed....