Vault-Azure Credentials integration Bug & Solution [Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError]

Avatar
Adedayo Samuel
  • Updated

Problem

When using the Vault-Azure credentials integration with Terraform, you may encounter an intermittent error when authenticating. This issue can occur when using the azurerm provider or the vault_azure_access_credentials data source.

The following error message appears during the Terraform run:

Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Application with identifier '<APPLICATION_IDENTIFIER>' was not found in the directory '<DIRECTORY_NAME>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\",\"error_codes\":[700016]}"}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:400, Message:"Failed to refresh the Token for request to https://graph.windows.net/...", ServiceError:[]uint8(nil)}

  with provider["registry.terraform.io/hashicorp/azurerm"],
  on <configuration-file>.tf line x, in provider "azurerm":
  x: provider "azurerm" {

Cause

This error is caused by a known bug in versions of the hashicorp/vault provider prior to v3.4.1. You can find more details about the bug in the related GitHub Issue #881.

Solution

To resolve this issue, you must upgrade the hashicorp/vault provider to version v3.4.1 or later. The fix was introduced in Pull Request #1381.

Update the provider version in your Terraform configuration.

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">= 3.4.1"
    }
  }
}

After upgrading the provider, you may need to adjust your configuration. As noted in the vault_azure_access_credentials documentation caveats, the validate_creds option requires read-access to the backend configuration endpoint. If the Vault role does not have the required permissions, you must explicitly set values for subscription_id, tenant_id, and environment.

Articles in this section

See more

Related articles