Vault-Azure Credentials integration Bug & Solution [Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError]

│ Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Application with identifier 'abc1234' was not found in the directory 'efg576'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\\r\\nTrace ID: jrwfkhwr48\\r\\nCorrelation ID: 83ijwb3493434i\\r\\nTimestamp: 2021-07-20 12:33:12Z\",\"error_codes\":[700016],\"timestamp\":\"2021-07-20 16:33:12Z\",\"trace_id\":\"848484hfhwkjw\",\"correlation_id\":\"sjkvsflkjfdkjfs\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700016\"} Endpoint https://login.microsoftonline.com/smdbcsdjhmsdfkhsf/oauth2/token?api-version=1.0", resp:(*http.Response)(0xc001941950)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:400, Message:"Failed to refresh the Token for request to https://graph.windows.net/msdsfmfbsh/servicePrincipals?%24filter=appId+eq+%0599593547%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc001941950)}
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on <your-tf-config-file>.tf line x, in provider "azurerm":
│ x: provider "azurerm" {
│ 

You can also see the error above sometimes when using the "vault_azure_access_credentials" data source with AzureRM [a].

Cause

This is due to a Vault provider bug described here [b].

HashiCorp Internal Bug ID: 1200394246616755

Solution

The bug was fixed in v3.4.1 of the hashicorp/vault provider here [c]. Please update your provider (an any dependent resources) to that version or later to take advantage of the fix. Please note that as a result of this fix, you'll need to make the following changes to your config (if it hasn't been done already):

The validate_creds option requires read-access to the backend config endpoint. If the effective Vault role does not have the 
required permissions then valid values are required to be set for: subscription_id, tenant_id, environment.

The link to this caveat can be found in our docs here [d].