Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_group returning 401 #622

Closed
valerio-battelle opened this issue Oct 7, 2021 · 5 comments
Closed

azuread_group returning 401 #622

valerio-battelle opened this issue Oct 7, 2021 · 5 comments
Labels
authentication env/usgovernment Issue affects this environment

Comments

@valerio-battelle
Copy link

valerio-battelle commented Oct 7, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_group

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.6"
    }
  }
}

provider "azuread" {
}

resource "azuread_group" "dc_admins" {
  display_name = "AAD DC Administrators"
  security_enabled = true
}

Debug Output

link to output

Panic Output

None

Expected Behavior

This should create an Azure AD group named AAD DC Administrators but fails with a 401 error with version 2.0 and greater

Actual Behavior

Fails to create the azure AD group and returns the following error:

Error: Could not retrieve calling principal object "GUID"

   with azuread_group.dc_admins,
   on main.tf line 4, in resource "azuread_group" "dc_admins":
    4: resource "azuread_group" "dc_admins" {

 DirectoryObjects.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Access token validation failure. Invalid audience.

Steps to Reproduce

  1. terraform init
  2. terraform apply

Important Factoids

  1. This is failing in the Azure Gov Cloud (AzureUsGovernment)
  2. This works with version 1.6 of azuread if you remove the security_enabled = false attribute from the azuread_group resource
  3. This is being executed under my user that has the General Administrator role.

References

issue seems similar and I was hopeful that version 2.6 would fix this issue, but that was not the case.
@manicminer manicminer added env/usgovernment Issue affects this environment feature/groups labels Oct 8, 2021
@manicminer
Copy link
Contributor

Hi @valerio-battelle, thanks for raising this. I don't believe this is related to #588. Unfortunately the provider is not currently logging the claims from the access token so it's not possible to determine the audience your token was issued for.

However, given that you are using the usgov cloud, the provider should not be querying graph.microsoft.com as it is in your provided trace - it should be calling graph.microsoft.us. Are you sure that the environment is configured correctly? Usually you'd be unable to get an access token from the token endpoint of another cloud but it may be that you're using also credentials for the global/public cloud?

@valerio-battelle
Copy link
Author

valerio-battelle commented Oct 8, 2021
edited
Loading

Hey @manicminer, thanks for replying so quickly. Good catch on https://graph.microsoft.com being called. That is indeed the wrong endpoint but I'm not entirely sure how I control that and thus can't verify if my environment is configure incorrectly.

I assume when you do a tf apply on the above HCL it works for you in Azure gov cloud?

The output of az cloud show displays the correct endpoint url for graph, but that doesn't seem to matter in this instance. Can you provide any insight as to how I control/configure this properly? I hit google pretty hard looking for this info, but didn't have much luck.

$ az cloud show
{
  "endpoints": {
    "activeDirectory": "https://login.microsoftonline.us",
    "activeDirectoryDataLakeResourceId": null,
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "activeDirectoryResourceId": "https://management.core.usgovcloudapi.net/",
    "appInsightsResourceId": "https://api.applicationinsights.us",
    "appInsightsTelemetryChannelResourceId": "https://dc.applicationinsights.us/v2/track",
    "attestationResourceId": null,
    "azmirrorStorageAccountResourceId": null,
    "batchResourceId": "https://batch.core.usgovcloudapi.net/",
    "gallery": "https://gallery.usgovcloudapi.net/",
    "logAnalyticsResourceId": "https://api.loganalytics.us",
    "management": "https://management.core.usgovcloudapi.net/",
    "mediaResourceId": "https://rest.media.usgovcloudapi.net",
    "microsoftGraphResourceId": "https://graph.microsoft.us/",
    "ossrdbmsResourceId": "https://ossrdbms-aad.database.usgovcloudapi.net",
    "portal": "https://portal.azure.us",
    "resourceManager": "https://management.usgovcloudapi.net/",
    "sqlManagement": "https://management.core.usgovcloudapi.net:8443/",
    "synapseAnalyticsResourceId": "https://dev.azuresynapse.usgovcloudapi.net",
    "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
  },
  "isActive": true,
  "name": "AzureUSGovernment",
  "profile": "latest",
  "suffixes": {
    "acrLoginServerEndpoint": ".azurecr.us",
    "attestationEndpoint": null,
    "azureDatalakeAnalyticsCatalogAndJobEndpoint": null,
    "azureDatalakeStoreFileSystemEndpoint": null,
    "keyvaultDns": ".vault.usgovcloudapi.net",
    "mariadbServerEndpoint": ".mariadb.database.usgovcloudapi.net",
    "mhsmDns": ".managedhsm.usgovcloudapi.net",
    "mysqlServerEndpoint": ".mysql.database.usgovcloudapi.net",
    "postgresqlServerEndpoint": ".postgres.database.usgovcloudapi.net",
    "sqlServerHostname": ".database.usgovcloudapi.net",
    "storageEndpoint": "core.usgovcloudapi.net",
    "storageSyncEndpoint": "afs.azure.us",
    "synapseAnalyticsEndpoint": ".dev.azuresynapse.usgovcloudapi.net"
  }
}

@manicminer
Copy link
Contributor

manicminer commented Oct 8, 2021
edited
Loading

Hi @valerio-battelle, no worries, you'll need to set the environment provider property to "usgovernmentl4" or just "usgovernment", so that Terrform knows which cloud you're targeting. You can also set this via the ARM_ENVIRONMENT environment variable. At this time we don't automatically pick up the national cloud from your Azure CLI account. Let me know if this works for you, thanks!

@valerio-battelle
Copy link
Author

@manicminer, sorry for the confusion, but now I understand. I set this up in azure CLI via az cloud set --name AzureUSGovernment and thought this was all I needed to do. I set the environment property on the provider to usgovernment, and now I am getting the correct graph endpoint API. Thanks for the help.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
authentication env/usgovernment Issue affects this environment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manicminer @valerio-battelle