Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Identity not found" erorr with managed identity in GitHub Action #27927

Open
1 task done
ajaskiewiczpl opened this issue Nov 6, 2024 · 4 comments
Open
1 task done

"Identity not found" erorr with managed identity in GitHub Action #27927

ajaskiewiczpl opened this issue Nov 6, 2024 · 4 comments
Labels
backend question v/3.x

Comments

@ajaskiewiczpl
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureRM Provider Version

3.114.0

Affected Resource(s)/Data Source(s)

provider "azurerm"

Terraform Configuration Files

GitHub Action Job:

      - name: Terraform
        shell: pwsh
        working-directory: ./terraform
        run: |
            terraform --version
            terraform init -backend-config="key=${{secrets.TERRAFORM_STORAGE_KEY}}" -input=false
        env:
          ARM_USE_MSI: true
          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}

Terraform config:

terraform {
  backend "azurerm" {
    resource_group_name  = "my-resource-group"
    storage_account_name = "mystorage"
    container_name       = "tfstateapi"
  }

  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy    = true
      recover_soft_deleted_key_vaults = true
    }
  }
}



### Debug Output/Panic Output

```shell
Run terraform --version
  terraform --version
  terraform init -backend-config="key=***" -input=false
  shell: /usr/bin/pwsh -command ". '{0}'"
  env:
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/d8221f80-c6cb-4769-a9d0-df14aeba9d7c
    ARM_USE_MSI: true
    ARM_TENANT_ID: ***
    ARM_SUBSCRIPTION_ID: ***
    ARM_CLIENT_ID: ***
  
Terraform v1.9.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.114.0
+ provider registry.terraform.io/hashicorp/random v3.6.2
Initializing the backend...
╷
│ Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "mystorage": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorage/listKeys?api-version=2021-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=***&resource=https%3A%2F%2Fmanagement.azure.com%2F
│ 
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

This was supposed to be fixed in v3.84.0 according to #24172
@github-actions github-actions bot added the v/3.x label Nov 6, 2024
@magodo
Copy link
Collaborator

magodo commented Nov 7, 2024

The error is from the backend part. The github action doesn't come with a managed identity by default, so just wondering if you have configured one for it?

Instead of using MI, we recommend you to use the OIDC to use Terraform under github aciton: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc

@ajaskiewiczpl
Copy link
Author

Yes, I have configured managed identity. In that github action, right before the Terraform step, I have azure login step and this works perfectly fine:

      - name: Azure Login
        uses: azure/login@v2
        with:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}

After reading this comment #24172 (comment), my understanding is that the terraform provider uses wrong URL. This is exactly the same case as mine. But anyway, I will try to use OIDC instead.

@ajaskiewiczpl
Copy link
Author

OIDC wasn't straightforward as well. Documentation lacks information about required environment variable ARM_USE_OIDC: true I would never guess by myself as I followed the docs. I found solution in other issues: #27490 and #22034 (comment)

@magodo
Copy link
Collaborator

magodo commented Nov 7, 2024

Yes, the endpoint under used by the backend is deprecated. The auth related code in the azurerm backend (i.e. at the terraform core) is quite out dated. The work to upgrade to match the provider is tracked at hashicorp/terraform#34322. There is an attempt from the team here, but is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend question v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@magodo @ajaskiewiczpl