sebastus
commented
4 years ago By chance I deployed some yaml with an error in it. Again, I got the \r message in the title of this issue. The error was that I had some invalid references - this yaml is designed to have some parameters plugged in by Azure DevOps and I forgot to replace them. For example:
[error] : failed to get vault: failed to get vault ResourceGroupName: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/__SubscriptionId__/resourceGroups/__ResourceGroupName__/providers/Microsoft.KeyVault/vaults/__ResourceGroupName__?api-version=2016-10-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS900023: Specified tenant identifier 'tenantid' is neither a valid DNS name, nor a valid external domain.\r\n
Describe the bug Message says there's a \r somewhere, but after double checking the actual secrets and the yaml used to deploy into AKS, the error persists.
Steps To Reproduce
Expected behavior Given the circumstances (see below), the error message should reflect the actual situation: that there was no access policy in the kv for the spn.
Key Vault FlexVolume version 0.0.12
Access mode: service principal or pod identity service principal
Kubernetes version 1.13.5
Additional context The spn did not have a role assignment to access key vault, nor did it have an access policy within that kv.
This message was discovered in the /var/log/kv-driver.log file in the node.
Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.