1

My Release pipeline was working very fine until I deleted app registration/Service Principal from UI and created a new one using the below command.

az ad sp create-for-rbac --name <Name of Service Principal> --password <Password>

I updated the values which I got from the above in "Variable Groups" below which is linked to release pipelines

enter image description here

However when I get terrafor plan task which is defined as below:

Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" -var "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" -var "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" -var "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)"

I get the error message below:

* provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '***()' was not found in the directory '***'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 7a1e3f3a-5171-4044-b59a-49a78d3df300\r\nCorrelation ID: f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd\r\nTimestamp: 2019-03-12 10:22:16Z","error_codes":[700016],"timestamp":"2019-03-12 10:22:16Z","trace_id":"7a1e3f3a-5171-4044-b59a-49a78d3df300","correlation_id":"f61d0e14-ecf7-45b9-bbc7-e357ddb7b1dd","error_uri":"https://login.microsoftonline.com/error?code=700016"}
2019-03-12T10:22:16.4925828Z

Just before this task that is cmd task which executes az account login with Service Principal. In log output, I can see clearly output of az account show so why this task is not working?

Output of CMD task, 

2019-03-12T11:58:05.4615044Z Environment variable -x not defined
2019-03-12T11:58:05.4615608Z ***
2019-03-12T11:58:05.4667686Z ***
2019-03-12T11:58:05.4668423Z ***
2019-03-12T11:58:05.4669112Z ***
2019-03-12T11:58:05.4669557Z "Subscription ID=> ***"
2019-03-12T11:58:48.5462240Z [
2019-03-12T11:58:48.5463710Z   {
2019-03-12T11:58:48.5464432Z     "cloudName": "AzureCloud",
2019-03-12T11:58:48.5464946Z     "id": "***",
2019-03-12T11:58:48.5465917Z     "isDefault": true,
2019-03-12T11:58:48.5469154Z     "name": "Visual Studio Enterprise",
2019-03-12T11:58:48.5469568Z     "state": "Enabled",
2019-03-12T11:58:48.5469843Z     "tenantId": "***",
2019-03-12T11:58:48.5470058Z     "user": {
2019-03-12T11:58:48.5470290Z       "name": "***",
2019-03-12T11:58:48.5470496Z       "type": "servicePrincipal"
2019-03-12T11:58:48.5471388Z     }
2019-03-12T11:58:48.5471648Z   }
2019-03-12T11:58:48.5471999Z ]

It's definition is as below:

echo $(TF_VAR_ARM_SUBSCRIPTION_ID)

echo $(TF_VAR_ARM_TENANT_ID)

echo $(TF_VAR_ARM_CLIENT_SECRET)

echo $(TF_VAR_ARM_CLIENT_ID)

echo "Subscription ID=> $(TF_VAR_ARM_SUBSCRIPTION_ID)"

az login --service-principal -u  $(TF_VAR_ARM_CLIENT_ID) -p  $(TF_VAR_ARM_CLIENT_SECRET) --tenant $(TF_VAR_ARM_TENANT_ID)

az account show

Before I was able to provision resource without any issue.

Improve this question
5
  • did you grant permissions to the service principal? Commented Mar 12, 2019 at 12:21
  • 1
    I believe az ad sp create-for-rbac --name <Name of Service Principal> --password <Password> command grants permissions? as I used the same Service principal on my VM and it could provision resources without any issue. Commented Mar 12, 2019 at 12:31
  • ah right, didnt catch that Commented Mar 12, 2019 at 12:33
  • what I do in my tasks, I just use build variables named as cf wants them to be named: ARM_SUBSCRIPTION_ID,ARM_TENANT_ID,etc and dont declare anything. it just works Commented Mar 12, 2019 at 12:44
  • May need a separate question. I have drill down the problem, Looks like access token is getting lost * provider.azurerm: Error building AzureRM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login. Commented Mar 13, 2019 at 5:25

1 Answer 1

Reset to default
2

hopefully you've already resolved this, but in case anyone else has a similar issue, this is how I resolved the same error. If you're using a service principal to auth, you need to make sure the azurerm provider has all of the necessary values (this happens automagically with a normal azure cli login, as it sets the proper env variables for you). The easiest way to do this is make sure your provider is setup like the below (and the appropriate values are provided for each of the variables through --var or --var-file. 

provider "azurerm" {
  version         = "=1.24.0"
  tenant_id       = "${var.tenant}"
  subscription_id = "${var.subscription}"
  client_id       = "${var.client_id}"
  client_secret   = "${var.client_secret}"
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.