search

hashicorp / packer-plugin-azure

Packer plugin for Azure Virtual Machine Image Builders
https://www.packer.io/docs/builders/azure
Mozilla Public License 2.0
47 stars 76 forks source link

OIDC token expiration problem - Add support for OIDC Request Token/url #385

Closed ibeerens closed 3 weeks ago

ibeerens commented 4 months ago

I read the post "https://www.hashicorp.com/blog/version-2-packer-azure-plugin-now-available". I use Packer with the latest Azure plugin and use the OIDC connection. When using a deployment that takes for example 38 minutes everything runs ok. But when i've use an larger deployment the following error occurs

oidc-error 
==> azure-arm.windows11-avd: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-02-27T14:01:33.3967841Z, assertion valid from 2024-02-27T12:47:05.0000000Z, expiry time of assertion 2024-02-27T12:52:05.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: b4e5b623-f000-4983-876c-85b424ac8e00 Correlation ID: 1b880267-c308-4c21-a6f6-085e62971c0d Timestamp: 2024-02-27 14:01:33Z","error_codes":[700024],"timestamp":"2024-02-27 14:01:33Z","trace_id":"b4e5b623-f000-4983-876c-85b424ac8e00","correlation_id":"1b880267-c308-4c21-a6f6-085e62971c0d","error_uri":"[https://login.microsoftonline.com/error?code=700024"}](https://login.microsoftonline.com/error?code=700024%22%7D)

It looks like a token expiration problem. Do you know how you can solve this?

ibeerens commented 2 months ago

Is there a way to extend the OIDC token?

JenGoldstrich commented 1 month ago

Hey @ibeerens in the current version of the plugin no, I chatted with the folks on the Terraform AzureRM Provider as we share an uptsream SDK, here are the Terraform AzureRM Provider authentication docs we only implemented the OIDC token field, these tokens can not be extended from the SDK, however if we implement the oidc request token and URL keys, which is supported using GitHub Actions and many other OIDC providers, these tokens should refresh properly.

I will add this for to our team's backlog for planning and address this when we are able

ibeerens commented 1 month ago

Thanks for the update @JenGoldstrich