CODEWITHSUNDEEP
azureansibleazure-keyvault
joshduffney
joshduffney

Reputation: 459

Ansible Lookup with azure_keyvault_secret Invalid Credentails

I'm attempting to retrieve a secret stored in Azure Key Vault with Ansible. I found and installed the azure.azure_preview_modules using ansible-galaxy. I've also updated the ansible.cfg to point to the lookup_plugins directory from the role. When Running the following playbook I get the error: 

- hosts: localhost
  connection: local
  roles:
    - { role: azure.azure_preview_modules }
  tasks:
    - name: Look up secret when ansible host is general VM
      vars:
        url: 'https://myVault.vault.azure.net/'
        secretname: 'SecretPassword'
        client_id: 'ServicePrincipalIDHere'
        secret: 'ServicePrinipcalPassHere'
        tenant: 'TenantIDHere'
      debug: msg="the value of this secret is {{lookup('azure_keyvault_secret',secretname,vault_url=url, cliend_id=client_id, secret=secret, tenant_id=tenant)}}"


fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure_keyvault_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Invalid credentials provided."}

Using the same information I can connect to Azure using AZ PowerShell and AZCLI and retrieve the Azure Key Vault secrets at the commandline. However, those same credentails do not work within this task for the playbook using the lookup plug-in.

Upvotes: 0

Views: 2802

Answers (2)

joshduffney
joshduffney

Reputation: 459

After much toil I figured out the issue! The argument client_id is misspelled in the example and I didn't catch it which resulted in the error. cliend_id=client_id,

https://github.com/Azure/azure_preview_modules/blob/master/lookup_plugins/azure_keyvault_secret.py#L49

Corrected example below.

- name: Look up secret when ansible host is general VM
  vars:
    url: 'https://valueName.vault.azure.net'
    secretname: 'secretName/version'
    client_id: 'ServicePrincipalID'
    secret: 'P@ssw0rd'
    tenant: 'tenantID'
  debug: msg="the value of this secret is {{lookup('azure_keyvault_secret',secretname,vault_url=url, client_id=client_id, secret=secret, tenant_id=tenant)}}"

Upvotes: 0

4c74356b41
4c74356b41

Reputation: 72171

I had a similar error when using python sdk (which ansible is built on top of). try changing url to this:

url: 'https://myVault.vault.azure.net' # so remove the trailing slash

the error text is 101% misleading

Upvotes: 2

Related Questions