search

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps
MIT License
372 stars 29 forks source link

"Unable to get value" error when reading empty secret value from KeyVault #1291

Open stuartleeks opened 1 month ago

stuartleeks commented 1 month ago

Please provide us with the following information:

This issue is a: (mark with an x)

Issue description

An empty secret value in KeyVault prevents a container app deploying.

Steps to reproduce

  1. Deploy KeyVault
  2. Add a secret with an empty string as the value
  3. Deploy a container app that references the secret using managed identity

Expected behavior [What you expected to happen.] The expected behavior is for the Container App to deploy successfully and receive an empty value for the secret

Actual behavior [What actually happened.] The actual behavior is that the Container App fails to deploy with the following error:

ERROR: {
    "status": "Failed",
    "error": {
        "code": "DeploymentFailed",
        "target": "/subscriptions/xx-xx-xxxx/resourceGroups/aoaisim/providers/Microsoft.Resources/deployments/deployment-XXXX-REGIONXXX",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
        "details": [
            {
                "code": "ResourceDeploymentFailure",
                "target": "/subscriptions/xx-xx-xxxx/resourceGroups/aoaisim/providers/Microsoft.App/containerApps/aoai-api-simulator",
                "message": "The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",
                "details": [
                    {
                        "code": "ContainerAppOperationError",
                        "message": "Failed to provision revision for container app 'aoai-api-simulator'. Error details: The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid value: \"azure-openai-key\": Unable to get value using Managed identity /subscriptions/xx-xx-xxxx/resourceGroups/aoaisim/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aoaisim-XXXX-identity for secret azure-openai-key. Error: unable to fetch secret 'azure-openai-key' using Managed identity '/subscriptions/xx-xx-xxxx/resourceGroups/aoaisim/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aoaisim-XXXX-identity'';.."
                    }
                ]
            }
        ]
    }
}

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

This occurred deploying from bicep as per https://github.com/microsoft/aoai-api-simulator/issues/28

simonjj commented 1 month ago

@stuartleeks thanks for reaching out and sharing this with us. Just to clarify you tried this same deploy with a value as well? Just checking before I mark this as a bug and add it to the backlog.

stuartleeks commented 1 month ago

@simonjj yes I can confirm that the deployment succeeds if the secret has a non-empty value

simonjj commented 1 month ago

Thank you for confirming, we've added this to the backlog to get fixed soon.