azurerm_key_vault.vault: "access_policy.0.object_id" is an invalid UUUID: uuid: UUID string too short

Question

azurerm_key_vault.vault: "access_policy.0.object_id" is an invalid UUUID: uuid: UUID string too short

akamalov opened this issue 6 years ago · 7 comments

Environment:

Terraform v0.11.11
+ provider.azurerm v1.21.0
+ provider.random v2.0.0
+ provider.template v2.0.0```

Problem:

Trying to run terraform using Service Principal to create Azure Key Vault key, but getting an error accessing objectId of the Service Principal.

Details:

Login to Azure using Service Principal clientID and secret:

$ az login --service-principal -u XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --password XXXXXXXXXXXXXXXXXXXXXXXX --tenant XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
[
  {
    "cloudName": "AzureCloud",
    "id": "XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "isDefault": true,
    "name": "Enterprise",
    "state": "Enabled",
    "tenantId": "XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "user": {
      "name": "XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
      "type": "servicePrincipal"
    }
  }
]

Run terraform plan:

$ terraform plan -var-file ./credentials.tfvars -out terraform.tfplan                             

Acquiring state lock. This may take a few moments...

Warning: azurerm_key_vault_key.generated: "vault_uri": [DEPRECATED] This property has been deprecated in favour of the key_vault_id property. This will prevent a class of bugs as described in https://github.com/terraform-providers/terraform-provider-azurerm/issues/2396 and will be removed in version 2.0 of the provider



Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

random_id.keyvault: Refreshing state... (ID: psSuDw)
azurerm_resource_group.AK-TEST-0001: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/AK-TEST-0001)
data.azurerm_client_config.current: Refreshing state...
azurerm_key_vault.vault: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...crosoft.KeyVault/vaults/vault-a6c4ae0f)
azurerm_virtual_network.vn-aktest-0001: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...Network/virtualNetworks/vn-aktest-0001)
azurerm_availability_set.consul: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...availabilitySets/consulavailabilityset)
azurerm_network_security_group.consul_nsg: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...kSecurityGroups/consulazure-consul-nsg)
azurerm_storage_account.consul_storage_account: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...t.Storage/storageAccounts/capamconsul1)
data.template_file.init: Refreshing state...
azurerm_subnet.Primary: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...etworks/vn-aktest-0001/subnets/Primary)
azurerm_network_interface.consul_nic[0]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-....Network/networkInterfaces/consul_nic1)
azurerm_network_interface.consul_nic[1]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-....Network/networkInterfaces/consul_nic2)
azurerm_network_interface.consul_nic[2]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-....Network/networkInterfaces/consul_nic3)
azurerm_virtual_machine.consul[2]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...rosoft.Compute/virtualMachines/consul3)
azurerm_virtual_machine.consul[0]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...rosoft.Compute/virtualMachines/consul1)
azurerm_virtual_machine.consul[1]: Refreshing state... (ID: /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-...rosoft.Compute/virtualMachines/consul2)

------------------------------------------------------------------------

Error: Error running plan: 1 error(s) occurred:

* azurerm_key_vault.vault: "access_policy.0.object_id" is an invalid UUUID: uuid: UUID string too short:

Hmmm... Let's run az account show

$ az account show --query "{subscriptionId:id, tenantId:tenantId,objectId:objectId}"         
{
  "objectId": null,
  "subscriptionId": "XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "tenantId": "XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

Why on earth am I not getting objectId populated?

Answer 1 · 2019-02-18T09:53:00.000Z

hi @akamalov

Thanks for opening this issue :)

So that we can take a look into this would it be possible for you to post the Terraform Configuration you're using?

Thanks!

Answer 2 · 2019-04-01T17:41:06.000Z

I'm having the exact same issue. Here's a snippet of my config

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "this" {
  name                = "my-keyvault"
  location            = "${var.location}"
  resource_group_name = "${var.resource_group_name}"
  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"

  sku {
    name = "standard"
  }

  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${data.azurerm_client_config.current.service_principal_object_id}"

....

Answer 3 · 2019-04-09T13:47:39.000Z

@akamalov @sonnysideup having a similar issue here. Can you confirm that it works if you use static values instead of using a data provider with the tenant_id and object_id fields?

FYI @300481

Answer 4 · 2019-04-10T14:30:10.000Z

Getting the same. Doesnt work with static values either

Answer 5 · 2019-05-23T10:14:42.000Z

hi @akamalov @sonnysideup @metmajer @birdnathan

Thanks for opening this issue / apologies for the delayed response here!

Taking a look into this it appears you're authenticated as a Service Principal using the Azure CLI - which unfortunately we don't support (from this page:

Authenticating via the Azure CLI is only supported when using a User Account. If you're using a Service Principal (for example via az login --service-principal) you should instead authenticate via the Service Principal directly (either using a Client Secret or a Client Certificate).

When authenticated using Environment Variables, or defining them in-line this should work as expected - however unfortunately the Azure CLI doesn't expose all of the information we need when authenticated as a service principal, as such we're unable to populate this information.

There's a separate issue open tracking adding a more generic object_id field to the azurerm_client_config data source - which should work when authenticated using other methods (e.g. via the Azure CLI), but since we don't support authenticating as a Service Principal using the Azure CLI (since it doesn't expose all the data we need), unfortunately this approach won't work there. In the interim we'll look to update the Azure CLI logic to fail more clearly when authenticated as a Service Principal.

Thanks!

Answer 6 · 2019-06-18T19:59:04.000Z

@tombuildsstuff I've never used the Azure CLI, always environment variables. Care to reopen?

Answer 7 · 2019-06-22T13:50:18.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!