{"error":"invalid_request","error_description":"Identity not found"}
akamalov opened this issue · 1 comments
akamalov commented
Greetings:
Environment:
Terraform v0.11.11
+ provider.azurerm v1.21.0
+ provider.random v2.0.0
+ provider.template v2.0.0```
Problem:
Script azure_auth.sh
is exiting with an error:
vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"
Error writing data to auth/azure/login: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/azure/login
Code: 500. Errors:
* oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
Further looking at template I discovered that curl
statement is responding with Identity not found
Terraform Template:
...
vault write auth/azure/login role="dev-role" \
jwt="$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s | jq -r .access_token)" \
subscription_id="${subscription_id}" \
resource_group_name="${resource_group_name}" \
vm_name="${vm_name}"
Generated Script
...
vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"
So, as you can see, jwt
is responding with null
.
Let's issue curl
manually form the VM instance:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -H Metadata:true -s
{"error":"invalid_request","error_description":"Identity not found"}
akamalov commented
Closing the ticket. The solution was to configure 'managed identity' for Azure VM instances, as described here - https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm