Good evening folks!
I have a problem when trying to enable this secrets engine and creating a role using an already existing service principal.
I am creating a role using the terraform vault provider (vault_azure_secret_backend_role), the service principal which Im using to configure the secret backend has the proper permissions, like application.readwrite.all and the group one.
When trying to create the role using this backend, Im getting the following error.
This is the resource Im using
resource "vault_azure_secret _backend role" "azure_apps_roles" {
namespace = var. namespace
backend = var .azure secrets engine path
role = var.role_name
application_object_ id = var.spn_object_id
ttl = 300
max_ttl = 600
}
And the is the error Im getting
* error loading Application: azure. BearerAuthorizer#withAuthorization: Failed to refresh the Token for request to https:/graph.microsoft.com/v1.0/applications/<existing-spn>: StatusCode-401 --Original Error: adal: Refresh request failed. Status Code = '401°. Response body: {"error"; "invalid client", "error_descrip tion": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<backend spn id>'. \r\nTrace ID: <backend spn id>'\r \nCorrelation ID: 61e1a24c-b6a2-4869 -a34c-25441e407135 \r \nTimestamp: 2023-07-1 1 20:52:01Z"
"error codes": [7000215], "timestamp": "2023-07-11 20:52:01Z"
"trace id": "le0a4e2d-e68e-4953-9c24-8f4c6a1d0100",
'correlation id": "61e1a24c-b6a2-4869-a34C-25441e407
135"
"error_uri": "https://login.microsoftonline.com/error?code=7000215" } Endpoint https://login.microsoftonline.com/<my tenant id>/oauth2/token?api-ver
sion=1.0
I already tested this with several client secrets for my "parent" service principal, and also tried it directly with the vault CLI, same error.
I wanna know if there is anything else I need to setup other than the permissions on the parent service principal.
Permission Name
Type
Application.ReadWrite.All
Application
Group.ReadWrite.All
Application
Role
Scope
Security Principal
Owner
Subscription
. Service Principal ID given in configuration
My Vault version is 1.13.0
My TF vault provider version is 3.12.0
Good evening folks! I have a problem when trying to enable this secrets engine and creating a role using an already existing service principal. I am creating a role using the terraform vault provider (vault_azure_secret_backend_role), the service principal which Im using to configure the secret backend has the proper permissions, like application.readwrite.all and the group one. When trying to create the role using this backend, Im getting the following error.
This is the resource Im using
And the is the error Im getting
I already tested this with several client secrets for my "parent" service principal, and also tried it directly with the vault CLI, same error.
I wanna know if there is anything else I need to setup other than the permissions on the parent service principal.
My Vault version is 1.13.0 My TF vault provider version is 3.12.0
Any help will be greatly appreciated! Thanks!