-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access token has expired or is not yet valid #918
Comments
Hi @alejandro-gallardo-ntt, thanks for reporting this! The provider is supposed to renew access tokens without interrupting a long-running apply operation, so this could well be a bug in how we are handling that. Please can you advise the authentication method you're using when this happens? Also, if you have a debug log that includes the requests and responses leading to this error, that would be incredibly helpful - though I understand this is challenging given the provisioning times involved. |
Hi @manicminer , I´m authenticating via Azure CLI. I have some requests and responses from previous executions, Times may not match because they are from different runs, but I hope it helps: Token claim just after running 2022-10-21T07:54:43.257+0100 [INFO] provider.terraform-provider-azuread_v2.24.0_x5: 2022/10/21 07:54:43 [DEBUG] AzureAD Provider access token claims: {"aud":"https://graph.microsoft.com","iss":"https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/","idp":"https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/","oid":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","roles":null,"scp":"AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All","sub":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","tenant_region_scope":"EU","tid":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","ver":"1.0","app_displayname":"Microsoft Azure CLI","appid":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","idtyp":"user"}: timestamp=2022-10-21T07:54:43.256+0100 And the API call after the Managed Instance is created: [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: e11aa914-2fd9-4e18-ff39-074b37fd4d65
GET /v1.0/xxxxxxxxxxxxxxxxxxxxxxxxxx/directoryRoles/88d8e3e3-8f55-4a1e-953a-9b9898b8876b HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.1.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip
============================= End AzureAD Request =============================: timestamp=2022-10-21T00:51:47.634+0100
2022-10-21T00:51:47.987+0100 [INFO] provider.terraform-provider-azuread_v2.24.0_x5: 2022/10/21 00:51:47
[DEBUG] ============================ Begin AzureAD Response ===========================
GET https://graph.microsoft.com/v1.0/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/directoryRoles/88d8e3e3-8f55-4a1e-953a-9b9898b8876b
Request ID: e11aa914-2fd9-4e18-ff39-074b37fd4d65
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Client-Request-Id: 7e7186c4-6071-4fea-8555-5618f2b3c5ed
Content-Type: application/json
Date: Thu, 20 Oct 2022 23:51:46 GMT
Request-Id: 7e7186c4-6071-4fea-8555-5618f2b3c5ed
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
Www-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"DU2PEPF000135B8"}}
104
{"error":{"code":"InvalidAuthenticationToken","message":"Access token has expired or is not yet valid.","innerError":{"date":"2022-10-20T23:51:47","request-id":"7e7186c4-6071-4fea-8555-5618f2b3c5ed","client-request-id":"7e7186c4-6071-4fea-8555-5618f2b3c5ed"}}}
0
============================= End AzureAD Response ============================ If you need more detailed logs or anything else, please let me know. I could create another instance. |
@alejandro-gallardo-ntt Thanks! This should be enough for me to try out a few things. |
@manicminer I am facing the same issue when destroying a sqlmi cluster with 1 replica + failover group + 2 DBs. The destroy process is taking more than 1 hour and one of the last activity I guess is to remove the directory reader role to the SQL MI instances or msi. Looks like the access token was not refreshed. Test was done with logged in user with cli flow
|
Thanks @LaurentLesle, I believe this is related to hashicorp/terraform-provider-azurerm#20867 and we should have a fix out this week. |
This functionality has been released in v2.39.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I can confirm it is fixed with version 2.39.0. Thanks! |
Fixed with #1100 |
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.3.2
provider registry.terraform.io/hashicorp/azuread v2.29.0
provider registry.terraform.io/hashicorp/azurerm v3.16.0
Affected Resource(s)
azuread_XXXXX
Terraform Configuration Files
Description
Happening in this particular case with
azuread_directory_role_assignment
, but it could happen with any AzureAD resource.When creating a SQL Managed Instance and the corresponding Role Assignment, this last one fails because the Managed Instance creation lasts almost 4 hours and it seems like by then the AzureAD token is expired:
When running
terraform apply
again once the Managed Instance is created, authentication happens and right after the Role Assignment is created without problem.Expected Behavior
Role assignment succesully created.
Actual Behavior
Role assignment creation fails due to expired token.
Steps to Reproduce
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: