-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Open
Labels
Description
Is there an existing issue for this?
- I have searched the existing issues
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Terraform Version
1.10.3 (OpenTofu)
AzureRM Provider Version
4.49.0
Affected Resource(s)/Data Source(s)
datasource azurerm_key_vault_secret
Terraform Configuration Files
data "azurerm_key_vault" "my_keyvault" {
name = "my-key-vault"
resource_group_name = "my-rg"
}
# Affected resource
data "azurerm_key_vault_secret" "my_secret" {
name = "my-secret"
key_vault_id = data.azurerm_key_vault.my_keyvault.id
}
Debug Output/Panic Output
[01K80WFZTND69KSVQN2GRBVN8Q] Planning changes with 0 custom hooks...
data.azurerm_client_config.current: Reading...
data.azurerm_key_vault.my_keyvault: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=]
data.azurerm_key_vault.my_keyvault: Read complete after 0s [id=/subscriptions/<sub-id>/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-key-vault]
data.azurerm_key_vault_secret.my_secret: Reading...
data.azurerm_key_vault_secret.my_secret: Reading...
data.azurerm_key_vault_secret.my_other_secret: Reading...
data.azurerm_key_vault_secret.my_other_secret_2: Reading...
data.azurerm_key_vault_secret.my_other_secret_2: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-secret/bf877d37a0dc45b9a98f43ddfe791c3a]
data.azurerm_key_vault_secret.my_other_secret: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-other-secret/e772e778ffbf43ed9866b61ece4feccf]
data.azurerm_key_vault_secret.my_secret: Read complete after 1s [id=https://my-key-vault.vault.azure.net/secrets/my-other-secret-2/5e35e21cd8f54d1e9cb9ff776c50cc1e]
Planning failed. OpenTofu encountered an error while generating this plan.
╷
│ Error: making Read request on Azure KeyVault Secret my-secret: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '<JWT HEADER>'."
│
│ with data.azurerm_key_vault_secret.my_secret,
│ on data.tf line 14, in data "azurerm_key_vault_secret" "my_secret":
│ 14: data "azurerm_key_vault_secret" "my_secret" {
│
Expected Behaviour
Expected behaviour is for the secret read to complete successfully.
This happens intermittently. Upon retrying the terraform plan
& terraform apply
, the run completes successfully and the secret is read successfully.
Actual Behaviour
│ Error: making Read request on Azure KeyVault Secret my-secret: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '<JWT HEADER>'."
│
│ with data.azurerm_key_vault_secret.my_secret,
│ on data.tf line 14, in data "azurerm_key_vault_secret" "my_secret":
│ 14: data "azurerm_key_vault_secret" "my_secret" {
│
Steps to Reproduce
- Use the datasource
azurerm_key_vault_secret
with AzureRM provider 4.49.0. - Reference a secret that already exists in the keyvault
- Run
terraform plan
&&terraform apply
. - Intermittent failures of reading the secret
Important Factoids
Running in Azure Public Cloud. The Service Principal has Key Vault Administrator on the Keyvault via RBAC. As mentioned this intermittently works.
References
No response