Closed rdtechie closed 5 years ago
@zikalino Could you help take a look this issue when you're available? Thanks!
@rdtechie thanks for reporting the issue, we're looking at it.
Hi could you pls try fix in #215 , resolving your issue?
Hi @yungezz that resolves the issue. Can you merge it into master?
fix was merged into master, close the issue.
Hi, I'm still facing the issue. Ansible 2.8.2.
Task:
- name: "Create secret: postgres password"
azure_rm_keyvaultsecret:
secret_name: "pg-admin-password"
secret_value: "my_password"
keyvault_uri: "{{ vault_uri }}"
tags: ["kv"]
Full log:
task path: /home/nico/Documents/ifrs17-deployer/ansible/roles/infrastructure/tasks/key-vault.yml:47
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: nico
<127.0.0.1> EXEC /bin/sh -c 'echo ~nico && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091 `" && echo ansible-tmp-1562316228.5673969-202423648538091="` echo /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091 `" ) && sleep 0'
Using module file /home/nico/Documents/ifrs17-deployer/ansible/library/azure_rm_keyvaultsecret.py
<127.0.0.1> PUT /home/nico/.ansible/tmp/ansible-local-29615w2d24ndr/tmpz8_d3vum TO /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/ /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "MSI: wait: 0.1s and retry: 1\nMSI: wait: 0.1s and retry: 2\nMSI: wait: 0.7s and retry: 3\nMSI: wait: 0.7s and retry: 4\nMSI: wait: 3.1s and retry: 5\nMSI: wait: 0.7s and retry: 6\nMSI: wait: 3.1s and retry: 7\nMSI: wait: 0.3s and retry: 8\nMSI: wait: 0.3s and retry: 9\nMSI: wait: 0.7s and retry: 10\nMSI: wait: 204.7s and retry: 11\nMSI: wait: 1.5s and retry: 12\nYour credentials class does not support session injection. Performance will not be at the maximum.\nTraceback (most recent call last):\n File \"/home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py\", line 114, in <module>\n _ansiballz_main()\n File \"/home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/nico/.ansible/tmp/ansible-tmp-1562316228.5673969-202423648538091/AnsiballZ_azure_rm_keyvaultsecret.py\", line 49, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/usr/lib/python3.6/imp.py\", line 235, in load_module\n return load_source(name, filename, file)\n File \"/usr/lib/python3.6/imp.py\", line 170, in load_source\n module = _exec(spec, sys.modules[name])\n File \"<frozen importlib._bootstrap>\", line 618, in _exec\n File \"<frozen importlib._bootstrap_external>\", line 678, in exec_module\n File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 228, in <module>\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 224, in main\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 127, in __init__\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/ansible_azure_rm_keyvaultsecret_payload.zip/ansible/module_utils/azure_rm_common.py\", line 325, in __init__\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 141, in exec_module\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 205, in get_secret\n File \"/usr/local/lib/python3.6/dist-packages/azure/keyvault/key_vault_client.py\", line 1795, in get_secret\n response = self._client.send(request, header_parameters, **operation_config)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/service_client.py\", line 219, in send\n pipeline_response = self.config.pipeline.run(request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/__init__.py\", line 203, in run\n return first_node.send(pipeline_request, **kwargs) # type: ignore\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/__init__.py\", line 156, in send\n response = self.next.send(request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/requests.py\", line 72, in send\n return self.next.send(request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/requests.py\", line 137, in send\n return self.next.send(request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/__init__.py\", line 156, in send\n response = self.next.send(request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/pipeline/requests.py\", line 193, in send\n self.driver.send(request.http_request, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/universal_http/requests.py\", line 328, in send\n return super(RequestsHTTPSender, self).send(request, **requests_kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/msrest/universal_http/requests.py\", line 137, in send\n **kwargs)\n File \"/usr/lib/python3/dist-packages/requests/sessions.py\", line 520, in request\n resp = self.send(prep, **send_kwargs)\n File \"/usr/lib/python3/dist-packages/requests/sessions.py\", line 637, in send\n r = dispatch_hook('response', hooks, r, **kwargs)\n File \"/usr/lib/python3/dist-packages/requests/hooks.py\", line 31, in dispatch_hook\n _hook_data = hook(hook_data, **kwargs)\n File \"/usr/local/lib/python3.6/dist-packages/azure/keyvault/custom/key_vault_authentication.py\", line 146, in _handle_401\n security = self._get_message_security(prep, challenge)\n File \"/usr/local/lib/python3.6/dist-packages/azure/keyvault/custom/key_vault_authentication.py\", line 172, in _get_message_security\n scheme))\n File \"/usr/local/lib/python3.6/dist-packages/azure/keyvault/custom/key_vault_authentication.py\", line 61, in _auth_callback_compat\n if len(inspect.getargspec(self._user_callback).args) == 3 \\\n File \"/tmp/ansible_azure_rm_keyvaultsecret_payload_9kvx9sj7/__main__.py\", line 184, in auth_callback\nKeyError: 'client_id'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Maybe related to MSI and the proxy. I don't see the flag "proxies" in the code like for other class.
To fix this on my side (Ubuntu system), I commented out the MSI part.
# MSI is blocking when using service principal credentials
# try:
# self.log("Get KeyVaultClient from MSI")
# credentials = MSIAuthentication(resource='https://vault.azure.net')
# return KeyVaultClient(credentials)
# except Exception:
# self.log("Get KeyVaultClient from service principal")
When trying to create a Azure Key Vault secret with the latest preview module, I'm receiving this error:
I'm using a MSI as authentication method, and this MSI has permissions to the key vault. It's added with the correct permissions to the Access Policy on the Key Vault.
This succeeds from the same machine:
az keyvault secret set --subscription <fakenumber> --vault-name vault01 --name secret01 --value secret01
pip freeze: