search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.02k stars 3.42k forks source link

Azure Government keyvault integration Authentication errors #8329

Open russelljftw opened 4 years ago

russelljftw commented 4 years ago
ISSUE TYPE
SUMMARY

Azure Keyvault lookup plugin not working for Azure Government. Vague "Authentication Error" popup with no details or log.

The azure keyvault credentials plugin found here: awx/awx/main/credential_plugins/azure_kv.py

ENVIRONMENT
STEPS TO REPRODUCE

Create Microsoft Azure Key Vault credential type. Populate details with Azure Government Keyvault and Application registration Select Cloud Environment "AzureGovernment" Save credential Click Test, Enter Valid Secrete name

EXPECTED RESULTS

Microsoft Azure Keyvault:Test Passed!

ACTUAL RESULTS

Red Error message Microsoft Azure Keyvault: Authentication Error

ADDITIONAL INFORMATION

This issue is related to Feature Idea #5138 I had previously submitted. I was unable to validate functionality before that issues was closed.

I think the this is failing because the ServicePrincipalCredentials method does not contain cloud_environment=azure_cloud.AZURE_US_GOV_CLOUD

Or because the KeyVaultClient method is not given the base_url for the government API endpoint.

On https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate?tabs=cmd
there is a section on Azure Sovereign or national Cloud logons.

jakemcdermott commented 4 years ago

I think the this is failing because the ServicePrincipalCredentials method does not contain cloud_environment=azure_cloud.AZURE_US_GOV_CLOUD

@russelljftw This seems plausible to me. Would there be any way that you could verify this before we make the change? If you can verify the precise set of data values needed with a raw http request or python script that works, that would be helpful. Thank you!

opfpqgoon commented 3 years ago

I've confirmed that adding cloud_environment = cloud inside the ServicePrincipalCredentials method does indeed allow for credential testing to succeed. This does not allow for populating a secret into a credential however as the secret is never stored into the field. The value of the credential remains empty after testing and selecting "ok"

Edit: this appears to be a UI bug as AzureUSGovernment is indeed usable after adding cloud_environment = cloud

lovleshmalik commented 3 years ago

I am getting this error when trying to validate Vault URL with SP credentials on Azure GovCloud : Max retries 3 times exceeded. Error Details: AADSTS900382 : Confidential Client is not supported in Cross Cloud request. Any idea, if this might be related to this issue?

opfpqgoon commented 3 years ago

@lovleshmalik where are you getting that error? Which UI page in AWX and following what procedures?

rdeberry-sms commented 1 year ago

Bump, same issue. What log file are you seeing that error?

RussTech commented 1 year ago

Bump, same issue. What log file are you seeing that error?

I'm the original posted of this issue, but lost access to that github account.

You can see a detailed error message if you try to use a credential that leverages the Azure Gov Keyvault credential in a job. The job will fail almost immediately.