{"error":"invalid_request","error_description":"Identity not found"}

[akamalov]

Greetings:

Environment:

Terraform v0.11.11
+ provider.azurerm v1.21.0
+ provider.random v2.0.0
+ provider.template v2.0.0```

Problem:

Script azure_auth.sh is exiting with an error:

vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"
Error writing data to auth/azure/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/azure/login
Code: 500. Errors:

* oidc: malformed jwt: square/go-jose: compact JWS format must have three parts

Further looking at template I discovered that curl statement is responding with Identity not found

Terraform Template:

...
vault write auth/azure/login role="dev-role" \
  jwt="$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F'  -H Metadata:true -s | jq -r .access_token)" \
  subscription_id="${subscription_id}" \
  resource_group_name="${resource_group_name}" \
  vm_name="${vm_name}"

Generated Script

...

vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"

So, as you can see, jwt is responding with null.

Let's issue curl manually form the VM instance:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -H Metadata:true -s

{"error":"invalid_request","error_description":"Identity not found"}

[akamalov]

Closing the ticket. The solution was to configure 'managed identity' for Azure VM instances, as described here - https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm