Azure CLI: refreshing the token fails

[tombuildsstuff]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

---

Porting this over from hashicorp/terraform-provider-azurerm#2602 where it was originally reported by @btai24 and @torumakabe:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_resource_group.shared (destroy): 1 error(s) occurred:

* azurerm_resource_group.shared: Error deleting Resource Group "myrg": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to
https://management.azure.com/subscriptions/myid/operationresults/myresult?api-version=2018-05-01: StatusCode=0 -- Original Error: Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token

[usrbinpikachu]

FWIW this is reliably reproducible when building VM Scale Sets. It fails a few seconds past the 58m31s mark every time I run the plan I'm currently working on.

Original Error: Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token

[gvilarino]

Happening to me as well every time I create a VM with attached disks

Is there a provided version downgrade that could help? Currently using 1.22

[alert101]

I get this error while trying to create an AKS cluster using azurerm_kubernetes_cluster.
Terraform v0.11.11
provider.azurerm v1.21.0 and v1.22.1.

[AhmedAZafar]

I get this error while trying to add an azure virtual machine extension for my VMs.

I am adding the Microsoft's Azure Active Directory Linux SSH to allow users on the azure portal to access the VMs I create with Terraform. Details of the extension are:-

resource "azurerm_virtual_machine_extension" "AADLogin" {
...
  publisher = "Microsoft.Azure.ActiveDirectory.LinuxSSH"
  type = "AADLoginForLinux"

  type_handler_version = "1.0"
}

Versions:

Terraform: v0.11.11
azurerrm: v1.22.0

[obikay200]

Thanks very much for the release of 0.5.0 provider has some useful feature for stack.

However, im getting this issue when running terraform plan against 1811 release of stack, the stack will be updated but i dont think thats the problem.

terraform validate passes - ok.
terraform plan / apply - fails.
disabled provider registration - still fails

terraform - v0.11.13
azurestack provider - v0.5.0
stack - v1811 (disconnected with ADFS)
auth method - service principle client ID/Secret ( has the correct permissions for API / Subscription)

Error

Error: Error running plan: 1 error(s) occurred:

* provider.azurestack: Unable to list provider registration status, 
it is possible that this is due to invalid credentials or the service principal does not have permission to use Resource Manager API,
Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the token for the request to https://management.stack.com/subscriptions/ { subscription id }/providers?api-version=2016-02-01: Status code=404
-- Original Error: adal: Refresh request failed. Status code = '404' response body: { html }

This is stopping us using terraform all together.

[obikay200]

Update to above

i have tried all methods of authentication now,

terraform validate passes - ok.
terraform plan / apply - fails.
disabled provider registration - still fails

terraform - v0.11.13
azurestack provider - v0.5.0
stack - v1811 (disconnected with ADFS)
auth method - service principle client certificate/password ( has the correct permissions for API / Subscription)

Error

Error: Error running plan: 1 error(s) occurred:

* provider.azurestack: adal: Refresh request failed. Status code = '404'. response body { html }

This is stopping us using terraform all together.

Using the Azure CLI by itself works, but it cant seem to integrate with terrafom. so sounds like an underlying library problem for the token service.

[erick-thompson]

I'm running into this issue as well, during both provisioning and destruction. Retrying the operation usually works, but it is troublesome.

[scott1138]

Also seeing this problem with Virtual Network Gateway creation after 50 minutes or so:

• azurerm_virtual_network_gateway.vng: Error waiting for completion of AzureRM Virtual Network Gateway "VNG-FreemanHT-SouthCentralUS-Core-Prod" (Resource Group "RG-VNetTest"): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the
  Token for request to https://management.azure.com/subscriptions/REDACTED-GUID/providers/Microsoft.Network/locations/southcentralus/operations/REDACTED-GUID?api-version=2018-08-01: StatusCode=0 -- Original Error: Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token

@tombuildsstuff - I know you guys are super busy and we are totally appreciative of the hard work, but any chance there is an ETA on when this will be resolved?

[CptQuint]

I'm getting this error:

provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request

When trying to create an AKS cluster using azurerm_kubernetes_cluster. Terraform v0.11.7 provider.azurerm v1.20 and v1.24.

This is using a service principal which works perfectly via the azure cli.

[obikay200]

Update to above

i have tried all methods of authentication now,

terraform validate passes - ok.
terraform plan / apply - fails.
disabled provider registration - still fails

terraform - v0.11.13
azurestack provider - v0.5.0
stack - v1811 (disconnected with ADFS)
auth method - service principle client certificate/password ( has the correct permissions for API / Subscription)

Error

Error: Error running plan: 1 error(s) occurred:

* provider.azurestack: adal: Refresh request failed. Status code = '404'. response body { html }

This is stopping us using terraform all together.

Using the Azure CLI by itself works, but it cant seem to integrate with terrafom. so sounds like an underlying library problem for the token service.

managed to modify the azure adal library to resolve my issue, it is using the tenantid in the request for a token, but with adfs you need to replace the tenantid with "adfs" to hit the correct endpoint

[tombuildsstuff]

@obikay200 oh interesting, is that just for ADFS/disconnected Azure Stack?

[tombuildsstuff]

@CptQuint unfortunately Terraform doesn't support using a Service Principal with the Azure CLI - you can either use the Azure CLI as a user or the Service Principal via credentials (either specified as Environment Variables/in-line) - but unfortunately the Azure CLI doesn't expose all of the information we need when using a Service Principal.

[obikay200]

yeah it seem so because i presume you developed against an SDK stack that does have AD. disconnected only has ADFS, so the underlying adal azure library had to be changed to not provide the tenantid in the request. unless microsoft decide to change the stack api of course.. which is a possiblity!

so i was thinking maybe you guys could have another label in the provider block that defines ADFS true or false maybe that could call a different function in adal during the authentication, or something similar that you know of a better way..

or connected / disconnected

[CptQuint]

@CptQuint unfortunately Terraform doesn't support using a Service Principal with the Azure CLI - you can either use the Azure CLI as a user or the Service Principal via credentials (either specified as Environment Variables/in-line) - but unfortunately the Azure CLI doesn't expose all of the information we need when using a Service Principal.

Sorry, yes this is what I'm doing. I'm passing service provider credentials via a .tfvars file (one per workspace), I just meant these credentials work fine via the azure CLI.

This setup had been working perfectly the last time I used it around December time.