search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
458 stars 538 forks source link

[Bug]: `validate_creds` in `data.vault_azure_access_credentials` broken in v3.22.0 #2075

Closed F21 closed 10 months ago

F21 commented 10 months ago

Terraform Core Version

1.6.3

Terraform Vault Provider Version

3.22.0

Vault Server Version

1.15.0

Affected Resource(s)

Expected Behavior

Validation of generated credentials should complete correctly.

Actual Behavior

Validation of credentials fails and the apply/plan stops.

Relevant Error/Panic Output Snippet

╷
│ Error: validation failed, unauthorized credentials from Vault, err=ClientSecretCredential authentication failed
│ POST https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token
│ --------------------------------------------------------------------------------
│ RESPONSE 401 Unauthorized
│ --------------------------------------------------------------------------------
│ {
│   "error": "invalid_client",
│   "error_description": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'REDACTED'. Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-11-02 03:01:55Z",
│   "error_codes": [
│     7000215
│   ],
│   "timestamp": "2023-11-02 03:01:55Z",
│   "trace_id": "REDACTED",
│   "correlation_id": "REDACTED",
│   "error_uri": "https://login.microsoftonline.com/error?code=7000215"
│ }
│ --------------------------------------------------------------------------------
│ To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#client-secret
│
│   with data.vault_azure_access_credentials.test,
│   on main.tf line 74, in data "vault_azure_access_credentials" "test":
│   74: data "vault_azure_access_credentials" "test" {
│

Terraform Configuration Files

https://gist.github.com/F21/01b08c3d7deb0db6385cd03ece741bf6

Steps to Reproduce

  1. Configure Vault and create a role that uses existing service principals using this tutorial: https://developer.hashicorp.com/vault/tutorials/secrets-management/azure-secrets
  2. Run terraform apply.
  3. See error message.
  4. Downgrade the vault provider to v3.21.0.
  5. Run terraform apply and see no errors.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

cloudnes commented 10 months ago

having the same issue, resolved by going back to 3.21.

dejoost commented 10 months ago

I also encountered the same issue, downgrading restored the functionality.

fairclothjm commented 10 months ago

The fix is available in https://github.com/hashicorp/terraform-provider-vault/releases/tag/v3.23.0