Managed Identity auth_source: msi no longer works with collection 1.11, returns KeyError: 'credential' #757

gowenrw · 2022-02-09T18:40:43Z

SUMMARY

In azure.azcollection version 1.10 managed identity auth_source: msi on tasks worked without errors.
Starting with azure.azcollection version 1.11 we get a traceback error on the file azure_rm_common.py with KeyError: 'credential'
This error happens when calling any of the modules in the collection.
Looking at the code for azure_rm_common.py three things are apparent

the credentials are good since the def _get_msi_credentials is not returning the defined error message for missing or bad credentials and
something is looking for 'credential' singular and the def _get_msi_credentials only returns 'credentials' plural and
a similar issue related to CLI credentials seems to have been fixed in DEV recently in the def _get_azure_cli_credentials area by adding a line 'credential': credentials to add the singular version.
When manually editing the file azure_rm_common.py we were able to fix the managed identity issues.
We found two different modifications in azure_rm_common.py that both work and don't know which one is correct:
In def _get_msi_credentials section on lines 1593:1608 add a new line in the return area to add 'credential': credentials
In this IF section on lines 1506:1509 modify the last line to change 'credential' to 'credentials'
if self.credentials.get('credentials') is not None:
# AzureCLI credentials
self.azure_credentials = self.credentials['credentials']
self.azure_credential_track2 = self.credentials['credential']
Don't know the code well enough to understand which of these two fixes would correct the root bug versus masking it.

ISSUE TYPE

Bug Report

COMPONENT NAME

azure_rm_common.py

ANSIBLE VERSION

Multiple

COLLECTION VERSION

azure.azcollection 1.11.0

STEPS TO REPRODUCE

Create a managed identity in Azure with contributor role on the subscription to be tested.
Run a playbook using any module and the auth_source: msi setting

  tasks:
    - name: "Test azure_rm_securitygroup_info"
      azure.azcollection.azure_rm_securitygroup_info:
        subscription_id: "{{ nsg_msi_test_sub }}"
        resource_group: "{{ nsg_msi_test_rg }}"
        name: "{{ nsg_msi_test_name }}"
        auth_source: msi

EXPECTED RESULTS

We expect the managed identity to work and allow the module to execute sucessfully.

ACTUAL RESULTS

What actually happens is a traceback error that ends in KeyError: 'credential'

{
    "module_stdout": "",
    "module_stderr": "Traceback (most recent call last):\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_securitygroup_info', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 393, in <module>\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 389, in main\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 335, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 464, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 1509, in __init__\nKeyError: 'credential'\n",
    "exception": "Traceback (most recent call last):\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1644429743.4528656-96-165730162148775/AnsiballZ_azure_rm_securitygroup_info.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_securitygroup_info', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 393, in <module>\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 389, in main\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_securitygroup_info.py\", line 335, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 464, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_securitygroup_info_payload_ux3w469s/ansible_azure.azcollection.azure_rm_securitygroup_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 1509, in __init__\nKeyError: 'credential'\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1,
    "_ansible_no_log": false,
    "changed": false
}

The text was updated successfully, but these errors were encountered:

chadgeary · 2022-02-15T05:21:56Z

For:

    - name: Get ph_password from Azure Vault Secret
      azure.azcollection.azure_rm_keyvaultsecret_info:
        auth_source: msi
        vault_uri: "https://{{ ph_prefix }}-secret-{{ ph_suffix }}.vault.azure.net"
        name: "{{ ph_prefix }}-secret"
        version: "current"
      register: ph_password

Full verbosity:

The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 100, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 92, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 41, in invoke_module
    run_name='__main__', alter_sys=True)
  File "/usr/lib/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 430, in <module>
  File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 426, in main
  File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 239, in __init__
  File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 464, in __init__
  File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 1509, in __init__
KeyError: 'credential'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py\", line 100, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py\", line 92, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1644901939.280348-22275-103308931251022/AnsiballZ_azure_rm_keyvaultsecret_info.py\", line 41, in invoke_module\n    run_name='__main__', alter_sys=True)\n  File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py\", line 430, in <module>\n  File \"/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py\", line 426, in main\n  File \"/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py\", line 239, in __init__\n  File \"/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 464, in __init__\n  File \"/tmp/ansible_azure_rm_keyvaultsecret_info_payload_mcgnw12_/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 1509, in __init__\nKeyError: 'credential'\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

NeckBeardPrince · 2022-02-21T15:50:52Z

BUMP

gowenrw · 2022-02-21T17:35:53Z

Bump for visibility. MI's not working is a big issue. Seems to be an easy fix. Hopefully this will get some traction soon.

* fix a typo error. related to #757 * remove unused line Co-authored-by: Daniele Marcocci <[email protected]>

* azure_rm_sqldatabase: parse datetime module arguments (ansible-collections#623) * rm_sqldatabase: parse datetime arguments * Remove unused sanity test exception on rm_sqldatabase module schema * Remove unused sanity test exception on rm_sqldatabase module schema bis * sqldatabase: import dateutil in try/except * Add dateutil install to test suite * sqldatabase_info: Add earliest_restore_date value to returned facts * sqldatabase: add point in time restore test * Conditionally call non MSI auth when interacting with keyvault (ansible-collections#770) * Added the VM status detection mechanism (ansible-collections#772) * Set the parameter to a random number * Update storage account name Update azure_rm_virtualmachine vars add new change add new change 02 add new change 03 add new change 05 add new change 06 add new change 08 add new change09 update new Update new 02 Improve code logic * fix a typo error. related to ansible-collections#757 (ansible-collections#769) * fix a typo error. related to ansible-collections#757 * remove unused line Co-authored-by: Daniele Marcocci <[email protected]> * Update test region (ansible-collections#776) Co-authored-by: Max <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]>

* Ugrade azure-mgmt-compute SDK to track2 * fix small * Modify version from v2021-07-01 to v2020-04-01, no disk encryptions operation * Update small * fix azure_rm_diskencryption test fail * fix azure_rm_diskencryption test fail02 * fix sanity error * fix azure_rm_diskcryptionset test fail * fix azure_rm_virtualmachinescalesetinstance_info bug * fix azure_rm_virtualmachinescalesetinstance_info bug 02 * fix azure_rm_virtualmachien*extension test fail * Update azure_rm_virtualmachinescalesetinstance func paramter to vm_instance_i_ds * fix azure_rm_virtualmachinescalesetinstance test fail * fix sanity test fail * change exception type * fix azure_rm_hostgroup module * Update the code that throws the exception * Merge dev to local branch (#10) * azure_rm_sqldatabase: parse datetime module arguments (#623) * rm_sqldatabase: parse datetime arguments * Remove unused sanity test exception on rm_sqldatabase module schema * Remove unused sanity test exception on rm_sqldatabase module schema bis * sqldatabase: import dateutil in try/except * Add dateutil install to test suite * sqldatabase_info: Add earliest_restore_date value to returned facts * sqldatabase: add point in time restore test * Conditionally call non MSI auth when interacting with keyvault (#770) * Added the VM status detection mechanism (#772) * Set the parameter to a random number * Update storage account name Update azure_rm_virtualmachine vars add new change add new change 02 add new change 03 add new change 05 add new change 06 add new change 08 add new change09 update new Update new 02 Improve code logic * fix a typo error. related to #757 (#769) * fix a typo error. related to #757 * remove unused line Co-authored-by: Daniele Marcocci <[email protected]> * Update test region (#776) Co-authored-by: Max <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]> * Revert "Merge dev to local branch (#10)" (#11) This reverts commit 1dce8f3. Co-authored-by: Max <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]> Co-authored-by: Daniele Marcocci <[email protected]>

chadgeary mentioned this issue Feb 15, 2022

Another issue with Get ph_password from Azure Vault Secret - The error was: KeyError: 'credential' chadgeary/cloudblock#42

Closed

danielino pushed a commit to danielino/azure that referenced this issue Feb 22, 2022

fix a typo error. related to ansible-collections#757

103ab19

danielino mentioned this issue Feb 22, 2022

fix a typo error. related to #757 #769

Merged

Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors has_pr PR fixes have been made and removed work in In trying to solve, or in working with contributors labels Feb 27, 2022

xuzhang3 closed this as completed in #769 Mar 4, 2022

xuzhang3 pushed a commit that referenced this issue Mar 4, 2022

fix a typo error. related to #757 (#769)

9ae26a6

* fix a typo error. related to #757 * remove unused line Co-authored-by: Daniele Marcocci <[email protected]>

chadgeary mentioned this issue Jul 25, 2022

unpin ansible azcollection from 1.10.0 as fix has been applied chadgeary/cloudblock#69

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Managed Identity auth_source: msi no longer works with collection 1.11, returns KeyError: 'credential' #757

Managed Identity auth_source: msi no longer works with collection 1.11, returns KeyError: 'credential' #757

gowenrw commented Feb 9, 2022

chadgeary commented Feb 15, 2022

NeckBeardPrince commented Feb 21, 2022

gowenrw commented Feb 21, 2022

Managed Identity auth_source: msi no longer works with collection 1.11, returns KeyError: 'credential' #757

Managed Identity auth_source: msi no longer works with collection 1.11, returns KeyError: 'credential' #757

Comments

gowenrw commented Feb 9, 2022

SUMMARY

ISSUE TYPE

COMPONENT NAME

ANSIBLE VERSION

COLLECTION VERSION

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

chadgeary commented Feb 15, 2022

NeckBeardPrince commented Feb 21, 2022

gowenrw commented Feb 21, 2022