Skip to content

azurerm_key_vault_secret datasource - Getting intermittent 401 errors #30912

@ravindra-bhadti-cko

Description

@ravindra-bhadti-cko

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.3 (OpenTofu)

AzureRM Provider Version

4.49.0

Affected Resource(s)/Data Source(s)

datasource azurerm_key_vault_secret

Terraform Configuration Files

data "azurerm_key_vault" "my_keyvault" {
  name                = "my-key-vault"
  resource_group_name = "my-rg"
}

# Affected resource
data "azurerm_key_vault_secret" "my_secret" {
  name         = "my-secret"
  key_vault_id = data.azurerm_key_vault.my_keyvault.id
}

Debug Output/Panic Output

[01K80WFZTND69KSVQN2GRBVN8Q] Planning changes with 0 custom hooks...
data.azurerm_client_config.current: Reading...
data.azurerm_key_vault.my_keyvault: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=]
data.azurerm_key_vault.my_keyvault: Read complete after 0s [id=/subscriptions/<sub-id>/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-key-vault]
data.azurerm_key_vault_secret.my_secret: Reading...
data.azurerm_key_vault_secret.my_secret: Reading...
data.azurerm_key_vault_secret.my_other_secret: Reading...
data.azurerm_key_vault_secret.my_other_secret_2: Reading...
data.azurerm_key_vault_secret.my_other_secret_2: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-secret/bf877d37a0dc45b9a98f43ddfe791c3a]
data.azurerm_key_vault_secret.my_other_secret: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-other-secret/e772e778ffbf43ed9866b61ece4feccf]
data.azurerm_key_vault_secret.my_secret: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-other-secret-2/5e35e21cd8f54d1e9cb9ff776c50cc1e]

Planning failed. OpenTofu encountered an error while generating this plan.

╷
│ Error: making Read request on Azure KeyVault Secret my-secret: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '<JWT HEADER>'."
│ 
│   with data.azurerm_key_vault_secret.my_secret,
│   on data.tf line 14, in data "azurerm_key_vault_secret" "my_secret":
│   14: data "azurerm_key_vault_secret" "my_secret" {
│

Expected Behaviour

Expected behaviour is for the secret read to complete successfully.

This happens intermittently. Upon retrying the terraform plan & terraform apply, the run completes successfully and the secret is read successfully.

Actual Behaviour

│ Error: making Read request on Azure KeyVault Secret my-secret: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '<JWT HEADER>'."
│ 
│   with data.azurerm_key_vault_secret.my_secret,
│   on data.tf line 14, in data "azurerm_key_vault_secret" "my_secret":
│   14: data "azurerm_key_vault_secret" "my_secret" {
│ 

Steps to Reproduce

  1. Use the datasource azurerm_key_vault_secret with AzureRM provider 4.49.0.
  2. Reference a secret that already exists in the keyvault
  3. Run terraform plan && terraform apply.
  4. Intermittent failures of reading the secret

Important Factoids

Running in Azure Public Cloud. The Service Principal has Key Vault Administrator on the Keyvault via RBAC. As mentioned this intermittently works.

References

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions