Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used

See original GitHub issue

Library name and version

Azure.Extensions.AspNetCore.Configuration.Secrets 1.2.2

Describe the bug

Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used. Before it has worked for one year without problems.

Azure Devops Pipeline running with the correct service principal to connect but the following error occured

`Azure.RequestFailedException: Service request failed. Status: 401 (Unauthorized)

Content: {“error”:{“code”:“Unauthorized”,“message”:“AKV10032: Invalid issuer. Expected one of https://sts.windows.net/cfd26b50-fb8f-44cf-87b2-d5df3d15d884/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/.”}}`

Used service principal is in the right TenantID

##[debug]b270df00-2259-4d37-8fd1-45b09abb963d auth param tenantid = cfd26b50-fb8f-44cf-87b2-d5df3d15d884

Works locally with own Azure account.

Expected behavior

DefaultTenantId which is configured should be used

Actual behavior

https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/ TenantId is used in Azure pipeline

Reproduction Steps

` internal static class RealTestConfiguration { private static string DefaultTenantId => “cfd26b50-fb8f-44cf-87b2-d5df3d15d884”;

    public static IConfiguration GetDefaultConfiguration()
    {
        var azureCredentialOptions = new DefaultAzureCredentialOptions
        {
            SharedTokenCacheTenantId = DefaultTenantId,
            VisualStudioTenantId = DefaultTenantId,
            VisualStudioCodeTenantId = DefaultTenantId,
            InteractiveBrowserTenantId = DefaultTenantId
        };

        return new ConfigurationBuilder()
                     .AddInMemoryCollection(TestConfiguration.DefaultOptions)
                     .AddAzureKeyVault(new Uri($"https://xyz.vault.azure.net/"), new DefaultAzureCredential(azureCredentialOptions))
                     .Build();
    }
}`

Run in pipeline

 - task: AzureCLI@1
displayName: iTest
inputs:
  failOnStandardError: true
  azureSubscription: add subscription here
  scriptLocation: inlineScript
  inlineScript: |
    dotnet test ./test/iTests/iTests.csproj --configuration $(BuildConfiguration)

Environment

ubuntu-latest

Could it be that the hosted agent is the source of the issue because I found some updates two days ago:

https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md

https://github.com/actions/virtual-environments/commit/eb3d502914745c631d137166035549b7890ab61c

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
MarcoK80commented, Jul 15, 2022

@mknic @jsquire The issue is now tracked here. This case here can be closed

https://github.com/actions/virtual-environments/issues/5908

0reactions
MarcoK80commented, Jul 15, 2022

The issue is now tracked here. This case here can be closed

https://github.com/actions/virtual-environments/issues/5908

Read more comments on GitHub >

github_iconTop Results From Across the Web

[BUG] Since 2 days our pipeline can not get secrets from ...
Description Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used.
Read more >
Inconsistent Azure Pipeline. Error: AKV10032: Invalid issuer
[BUG] Since 2 days our pipeline can not get secrets from the keyvault because not the defined TenantId is used #29902.
Read more >
Common key vault errors in Azure Application Gateway
This article identifies key vault-related problems, and helps you resolve them for smooth operations of Application Gateway.
Read more >
Data Factory Cant Access secrets in Key Vault
I have a data Factory and I want to access secrets in my key vault. Both are in the same subscription and resource...
Read more >
Enable Purge Protection For Azure Key Vault With Azure ...
This article will demonstrate how to enable the purge protection feature for Azure Key Vault with Azure Policy and ARM template.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[BUG] Inconsistent ETag results in Storage Blob SDK GetPropertiesAsync and GetBlobsAsync and ETag documentation issue

Next page

[FEATURE REQ] Add Integrated Windows Authentication support within TokenCredential interface