Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Encrypt file using sops using a key store in Azure Vault

See original GitHub issue

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az account get-access-token

Errors:

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://vault.azure.net was not found in the tenant named [TENTANT_ID]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Traceback (most recent call last):
...

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az cloud set -n AzureChinaCloud - this doesn’t seem to make a difference but is suppose to change the CLI to know its using China Cloud
Have a key vault created and a key inside with encrypt and decrypt permission
sops --encrypt --azure-kv https://[VAULT_NAME].vault.azure.cn/keys/[KEY_NAME] secrets.yaml

Expected Behavior

Instead of authorization using https://vault.azure.net it uses *.azure.cn so that it can find the correct tenant

Environment Summary

Linux-3.10.0-1062.4.3.el7.x86_64-x86_64-with-centos-7.9.2009-Core
Python 3.6.8
Installer: RPM

azure-cli 2.18.0

Additional Context

Issue Analytics

State:
Created 3 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

2reactions

romeomorcia-wiprocommented, Mar 17, 2021

@yonzhan @houk-ms @jiasli any news regarding the fix? I’m trying to find a workaround but couldn’t find any.

EDIT:

@Shaun-Harrison found a workaround in sops code 😃

https://github.com/mozilla/sops/blob/38b25bd449619e1d6da20e637702f7c73203aa44/azkv/keysource.go#L54-L81

As you might see here, sops is taking configs from environment variables, this means that by setting the environment variable to the proper value it will make everything works just fine.

Obviously, it would be nice to have this information in the error message!

before running the sops command you must run: export AZURE_ENVIRONMENT="azurechinacloud"

Hope this works for you too 👍

0reactions

jiaslicommented, Mar 18, 2021

@romeomorcia-wipro, Thank you for the SOPS solution.