Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Government azure_rm_keyvaultsecret_info not able to fetch secrets #331

Closed
opfpqgoon opened this issue Nov 20, 2020 · 3 comments · Fixed by #854
Closed

Azure Government azure_rm_keyvaultsecret_info not able to fetch secrets #331

opfpqgoon opened this issue Nov 20, 2020 · 3 comments · Fixed by #854
Labels
medium_priority Medium priority not a bug Not a bug work in In trying to solve, or in working with contributors

Comments

@opfpqgoon
Copy link
Contributor

SUMMARY

When trying to use azure_rm_keyvaultsecret_info in an Azure Government subscription no secrets are returned.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure_rm_keyvaultsecret_info

ANSIBLE VERSION
ansible 2.10.3
  config file = None
  configured module search path = ['/Users/REDACTED/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/REDACTED/.pyenv/versions/3.9.0/envs/testenv/lib/python3.9/site-packages/ansible
  executable location = /Users/REDACTED/.pyenv/versions/testenv/bin/ansible
  python version = 3.9.0 (default, Nov 20 2020, 02:31:33) [Clang 12.0.0 (clang-1200.0.32.27)]
CONFIGURATION

Default

OS / ENVIRONMENT

macOS Catalina

STEPS TO REPRODUCE

Attempt to use azure_rm_keyvaultsecret_info in a playbook with credentials to azure gov subscription in ~/.azure/credentials

tasks:
  - name: Get keyvault secret
    azure_rm_keyvaultsecret_info:
      vault_uri: "https://sometestvault.vault.usgovcloudapi.net"
      name: "somesecret"
    register: secretVar

  - name: Output secret
    debug:
      var: secretVar
EXPECTED RESULTS
ok: [localhost] => {
    "secretVar": {
        "changed": false,
        "failed": false,
        "secrets": [
              {
                     "attributes": {......},
                     "secret": "secretvalue",
                      .......
              }
        ]
    }
}
ACTUAL RESULTS
ok: [localhost] => {
    "secretVar": {
        "changed": false,
        "failed": false,
        "secrets": []
    }
}

I'm positive this is because resource is hard coded to "https://vault.azure.net" in azure_rm_keyvaultsecret_info.py:297 as well as the cloud environment defaulting to AzureCloud in azure_rm_keyvaultsecret_info.py:296

I've tested hardcoding the following and can successfully fetch secrets from an AzureUSGovernment keyvault

authcredential = ServicePrincipalCredentials(
                client_id=self.credentials['client_id'],
                secret=self.credentials['secret'],
                tenant=tenant,
                cloud_environment=azure_cloud.AZURE_US_GOV_CLOUD,
                resource="https://vault.usgovcloudapi.net")

I'd be happy to provide more info/test any modifications.

FYI it looks like a lot of the collections modules have this same issue. I can confirm that azure_rm_keyvaultkey_info is also hard coded to AzureCloud
@opfpqgoon
Copy link
Contributor Author

opfpqgoon commented Dec 4, 2020
edited
Loading

This can be fixed (without hard coding environment) relatively trivially. The assignment of authcredential should be performed as follows:

azure/plugins/modules/azure_rm_keyvaultsecret_info.py

Lines 292 to 297 in 69fe33a

authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net") 

authcredential = ServicePrincipalCredentials(
                client_id=self.credentials['client_id'],
                secret=self.credentials['secret'],
                tenant=tenant,
                cloud_environment=self.azure_auth._cloud_environment,
                resource = f"https://{self.azure_auth._cloud_environment.suffixes.keyvault_dns.split('.', 1).pop()}")

@Fred-sun Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors labels Dec 21, 2020
@Fred-sun
Copy link
Collaborator

@opfpqgoon Thank you for reporting this issue, we will review it as soon as possible, thank you!

@Fred-sun
Copy link
Collaborator

Fred-sun commented Jul 1, 2021

@opfpqgoon I have not had any problems with the latest version of Azure Collection. Can you update to the latest version and try again? Thank you very much!

ansible-galaxy collection install azure.azcollection --force

        "secrets": [
            {
                "attributes": {
                    "created": "2021-07-01T01:16:55+00:00",
                    "enabled": true,
                    "expires": null,
                    "not_before": null,
                    "recovery_level": "Recoverable+Purgeable",
                    "updated": "2021-07-01T01:16:55+00:00"
                },
                "content_type": "Content Type Secret",
                "secret": "mysecret",
                "sid": "https://xxx/secrets/testsecret/xxxx",
                "tags": {
                    "delete": "on-exit",
                    "testing": "test"
                },
                "version": "eca8f76e4bd0451ab114805f0d7eb7f8"
            }
        ]

@Fred-sun Fred-sun added the not a bug Not a bug label Jul 1, 2021
@Fred-sun Fred-sun closed this as completed Jul 9, 2021
@dougalII dougalII mentioned this issue May 17, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
medium_priority Medium priority not a bug Not a bug work in In trying to solve, or in working with contributors
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes required for use with multiple Cloud Environments dougalII/azure
2 participants
@opfpqgoon @Fred-sun