azure_rm_keyvaultsecret uses wrong credentials

[SSPJ]

This did not work:

- name: Set secret in vault
  azure_rm_keyvaultsecret:
    secret_name: SECRET-NAME
    secret_value: "{{ SECRET-VALUE }}"
    keyvault_uri: "https://{{ vault.name }}.vault.azure.net/"

This also did not work:

- name: Set secret in vault
  azure_rm_keyvaultsecret:
    secret_name: SECRET-NAME
    secret_value: "{{ SECRET-VALUE }}"
    keyvault_uri: "https://{{ vault.name }}.vault.azure.net/"
    client_id: "{{ AZURE_CLIENT_ID }}"
    secret: "{{ AZURE_SECRET }}"
    tenant: "{{ tenant }}"
    subscription_id: "{{ subscription }}"

This did work:

- name: Set secret in vault
  azure_rm_deployment:
    state: present
    location: "{{ location }}"
    resource_group: "{{ resource_group_name }}"
    name: "deployment-secret-name-secret"
    template:
      $schema: https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#
      contentVersion: 1.0.0.0
      resources:
        - type: Microsoft.KeyVault/vaults/secrets
          apiVersion: 2021-11-01-preview
          name: "{{ vault.name }}/SECRET-NAME"
          properties:
            value: "{{ SECRET-VALUE }}"

This is the error.

fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "Your credentials class does not support session injection.
    Performance will not be at the maximum.
    Your credentials class does not support session injection. Performance will not be at the maximum.
    Traceback (most recent call last):
     .............
      File \"/usr/local/lib/python3.7/dist-packages/azure/keyvault/key_vault_client.py\", line 1586, in set_secret
        raise models.KeyVaultErrorException(self._deserialize, response)
    azure.keyvault.models.key_vault_error.KeyVaultErrorException: 
    (Forbidden) The user, group or application '
    appid=Z1xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx;
    oid=D1xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx;
    iss=https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
    ' does not have secrets set permission on key vault ';location=centralus'.

Z1xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is not the ID of my SP nor my own ID. It is the appID of the virtual machine on which the playbook is running.

[markscottwright]

I am experiencing this error as well. The specified credentials are ignored if running in an environment where managed identities are available for azure_rm_keyvaultsecret. I believe the error was introduced in 199c7ee - if auth_source != 'msi', AzureRMKeyVaultSecret still attempts to retrieve credentials from MSI (see the else block - plugins/modules/azure_rm_keyvaultsecret.py:210). Which will succeed if running in Azure (or AKS, in my case), but will return the credentials assigned to the current VM, not the credentials specified in the playbook.

[Fred-sun]

@SSPJ The reason for this problem is that there are special permission requirements for keystores that require adding access policies and role assignments to the keystores used (the application you are currently using). You can refer to the link below.
Add access policy: Assign an Azure Key Vault access policy (CLI) | Microsoft Docs
Add role assign: Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Docs
Thank you very much!

[markscottwright]

@Fred-sun I can't be absolutely certain that @SSPJ 's issue is the same as mine, although the error looks very similar.

I can successfully run this task locally:

  azure_rm_keyvaultsecret:
    secret_name:      "{{ secret_name }}"
    secret_value:     "{{ password }}"
    keyvault_uri:     "{{ keyvault_uri }}"
    subscription_id:  "{{ subscription_id }}"
    tenant:           "{{ tenant_id }}"
    client_id:        "{{ client_id }}"
    secret:           "{{ secret }}"

However, if I run that that task using the same arguments on an AKS pod, it fails. The error reported by Azure is:

Forbidden) The user, group or application 'appid=XYZ;oid=ABC;iss=[https://sts.windows.net/98d7c96c-5661-45df-b4cc-3717d2738b6e/'](https://sts.windows.net/98d7c96c-5661-45df-b4cc-3717d2738b6e/%27) does not have secrets set permission on key vault 'testcustomer

But XYZ is not the client_id I specified in my playbook. (@SSPJ 's error is the same, which is why I believe we have the same issue). My client_id has the required permissions - I can run the playbook successfully, as long as it's not on a system with MSI (aka not an Azure VM). azure_rm_keyvaultsecret is using the wrong credentials.

The bug here:

azure/plugins/modules/azure_rm_keyvaultsecret.py

Line 202 in fc66c06

if self.module.params['auth_source'] == 'msi':

and seems to have been introduced in #770.

The logic now is:

1. if auth type is MSI, use MSI to get the credentials
2. if auth type is not MSI still use MSI to get the credentials (see line 210)
3. if that fails to return MSI credentials, then use the credentials as documented here.

2 above seems wrong to me (and is not what is documented). As written, azure_rm_keyvaultsecret will never use the specified credentials when run on an Azure VM.

Thank you!

[markscottwright]

I have just confirmed that I can successfully run the azure_rm_keyvaultsecret task above if I downgrade to 1.11.0 (ansible-galaxy collection install azure.azcollection:==1.11.0).

[markscottwright]

I would create a pull request to fix the issue, but I think the fix is to rollback the changes you made in #770, @Fred-sun. Are you sure those changes are correct?

[SSPJ]

@Fred-sun Thank you for the help troubleshoot, but I believe @markscottwright is correct that this is a bug in the module.

I do not want to give my virtual machine permission to set secrets in my key vaults. That is a security risk. I want azure_rm_keyvaultsecret to behave like other modules in the azcollection for authentication.

[Fred-sun]

want to give my virtual machine permission to set secrets i

Yeah! I am sure!

[Fred-sun]

I would create a pull request to fix the issue, but I think the fix is to rollback the changes you made in #770, @Fred-sun. Are you sure those changes are correct?

Sorry, It has beed fixes by #823. Thank you very much!