search

ansible-collections / azure

Development area for Azure Collections
https://galaxy.ansible.com/azure/azcollection
GNU General Public License v3.0
246 stars 327 forks source link

azure_rm_keyvault failing for Azure China with 403 Client Error #671

Open bikashkarmakar opened 2 years ago

bikashkarmakar commented 2 years ago
SUMMARY

Ansible AWX playbook with azure_rm_keyvault fails to create KeyVault in Azure China inspite of specifying cloud_environment.

ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
ansible-playbook 2.10.8
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT

python version = 3.6.8 [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]

STEPS TO REPRODUCE
---
- name: Create/update a key vault
  azure_rm_keyvault:
    subscription_id: "{{ subscription_id }}"
    resource_group: "{{ resource_group_name }}"
    vault_name: "{{ key_vault_name }}"
    enabled_for_deployment: yes
    vault_tenant: "{{ lookup('env', 'AZURE_TENANT') }}"
    cloud_environment: "{{ cloud_tenant }}"
    sku:
      name: standard
      family: A
    access_policies:
      - object_id: "{{ management_group_service_principal_object_id }}"
        keys:
          - get
          - list
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
      - object_id: "{{ rgadmin_group_object_id }}"
        keys:
          - get
          - list
        secrets:
          - get
          - list
          - set
    state: present
  register: keyvault
  environment:
    AZURE_SUBSCRIPTION_ID: "{{ subscription_id }}"
- debug:
    msg: "Key vault name = {{ key_vault_name }} within the resource group : {{ resource_group_name }} created/updated successfully"
EXPECTED RESULTS

Azure KeyVault is created in the resource group in Azure China subscription

ACTUAL RESULTS

The AWX job logs show that the"cloud_environment": "AzureCloud" and not AzureChinaCloud which is specified in the var file 

[WARNING]: Azure API profile latest does not define an entry for
KeyVaultManagementClient
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_policies": [
                {
                    "application_id": null,
                    "object_id": "xxxx-xxxx-xxxx-xxxx-xxxxx",
                    "permissions": {
                        "certificates": null,
                        "keys": [
                            "get",
                            "list"
                        ],
                        "secrets": [
                            "get",
                            "list",
                            "set",
                            "delete",
                            "recover",
                            "backup",
                            "restore"
                        ],
                        "storage": null
                    },
                    "tenant_id": "xxxx-xxx-xxxx-xxxx-xxxxx"
                },
                {
                    "application_id": null,
                    "object_id": "xxxx-xxxx-xxx-xxx-xxxx",
                    "permissions": {
                        "certificates": null,
                        "keys": [
                            "get",
                            "list"
                        ],
                        "secrets": [
                            "get",
                            "list",
                            "set"
                        ],
                        "storage": null
                    },
                    "tenant_id": "xxxxx-xxxx-xxxx-xxx-xxxx"
                }
            ],
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "append_tags": true,
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "enable_soft_delete": null,
            "enabled_for_deployment": true,
            "enabled_for_disk_encryption": null,
            "enabled_for_template_deployment": null,
            "location": null,
            "password": null,
            "profile": null,
            "recover_mode": null,
            "resource_group": "XXXX-XXXXXX-sandbox-resources",
            "secret": null,
            "sku": {
                "family": "A",
                "name": "standard"
            },
            "state": "present",
            "subscription_id": "xxxxx-xxxx-xxx-xxx-xxxxxx",
            "tags": null,
            "tenant": null,
            "vault_name": "rg-xxx-Sandbox-akv",
            "vault_tenant": "xxxx-xxxx-xxx-xxx-xxxxx"
        }
    },
    "msg": "Error creating the Key Vault instance: 403 Client Error: Forbidden for url: https://management.chinacloudapi.cn/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/xxxx-xxx-xxx-xx-sandbox-resources/providers/Microsoft.KeyVault/vaults/rg-xxxx-Sandbox-akv?api-version=2018-02-14"
}
Fred-sun commented 2 years ago

@bikashkarmakar Thank you for submitting this question. What kind of credentials are you using? Currently, the azure_rm_keyvault module supports only az login. Can you confirm it? Thank you very much!

Fred-sun commented 2 years ago

@bikashkarmakar Do you still have this problem? According to the error log, it is your side that has the problem. Is it your current account right? I didn't have any problems testing locally? Would you try again! Thank you very much!

bikashkarmakar commented 2 years ago

Sorry for the late response , we are using service principal based in Ansible credentials.

Fred-sun commented 5 months ago

@bikashkarmakar Are you still have this issue? This version you may be using is older. Can you update to the latest version to try? Because the new version gets the 'cloud_envronment' parameter to specify the cloud environment to work in. Thank you!