-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auxiliary_tenant_ids LinkedAuthorizationFailed errors after azurerm v3.43.0 #21346
Comments
Hi @nateoconnell thanks for raising the issue! I'm able to repro the issue locally. And after a few rounds of testing, I'm able to workaround it with the Service Principal + Client Secret authentication https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret#configuring-the-service-principal-in-terraform. I guess there might be a misconfiguration with the |
Thank you for looking into it! Currently I'm pinning to 3.43.0 for the builds that need the multitenant access, but will look into the Service Principal + Client Secret authentication as a workaround if I'm not able to maintain that pin. |
@myc2h6o It works in 3.42 with the same … which suggests that the problem is likely to be in the code that obtains the tokens from az rather than az itself. |
Many thanks for reporting this and helping to narrow down the cause of this bug. This is due to a bug in our SDK which should get fixed soon. |
Resolved with #21583 |
This functionality has been released in v3.54.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Is there an existing issue for this?
Community Note
Terraform Version
1.4.4
AzureRM Provider Version
3.51.0
Affected Resource(s)/Data Source(s)
azurerm_linux_virtual_machine
Terraform Configuration Files
Debug Output/Panic Output
https://gist.github.com/nateoconnell/7148e9e71c7b0dacc08b06ddc694803a
Expected Behaviour
Terraform is able to provision a VM in one subscription using an image reference from a subscription in another tenant as long as the user running the apply has required permissions in both tenants and the image source tenant is specified in the
auxiliary_tenant_ids
provider configuration list.After upgrading from azurerm v3.12.0 to v3.48.0 I found that I was no longer able to build VMs in one subscription from OS images from a compute gallery in another subscription using the
auxiliary_tenant_ids
argument in the azurerm provider config. It looks like some changes to auth sdks occurred between 3.43.0 and 3.44.0. I was able to confirm that I am able to build VMs successfully with 3.43.0, but run intoLinkedAuthorizationFailed
errors with version 3.44.0, 3.48.0, and the current latest 3.51.0 by swapping the provider version pin in the provided configuration.Actual Behaviour
With azurerm versions
>= 3.44.0
this no longer seems to work and aLinkedAuthorizationFailed
error is produced.Steps to Reproduce
To reproduce the issue two tenants are needed, one with an OS image in a compute gallery replicated to the region in which a target VM should be built under the second tenant.
3.44.0
,3.48.0
, or3.51.0
in the provided terraform configuration and set the tenant, subscription, and image related valuesterraform init
,validate
,plan
,apply
and the resource group and network components will be built successfully, but the VM creation will fail with theLinkedAuthorizationFailed
error.3.43.0
and runterraform init -upgrade
terraform apply
and the VM will build successfully.Important Factoids
No response
References
Possibly related to #20320
The text was updated successfully, but these errors were encountered: