Failed to create Azure authorizer in a specific agent pool in Azure Devops

[mgvinuesa]

Hello,

I have a very strange error using sops provider in my terraform pipelines.
While the terraform itself can retrieve the values the Key needed for work with the file, the SOPS provider can't, giving me the following error

2023-04-24T10:29:04.932Z [ERROR] vertex "data.sops_file.charset" error: Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  <kid of the key>: FAILED
    - | Invoking Azure CLI failed with the following error: ERROR:
      | Please run 'az login' to setup account.


Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
2023-04-24T10:29:04.932Z [ERROR] vertex "data.sops_file.charset (expand)" error: Failed to get the data key required to decrypt the SOPS file.

It is important to note that adding this in my terraform file:

data "azurerm_key_vault_key" key" {
  name         = "<KEY NAME>"
  key_vault_id = data.azurerm_key_vault.keyvault_connections.id
}

output "KeyId" {
  value = data.azurerm_key_vault_key.key.id
}

it works properly, retrieving the key id.
If I put terraform in DEBUG I only can see the following line:

2023-04-24T10:29:04.931Z [DEBUG] provider.terraform-provider-sops_v0.7.2: [AZKV] time="2023-04-24T10:29:04Z" level=error msg="Failed to create Azure authorizer" error="Invoking Azure CLI failed with the following error: ERROR: Please run 'az login' to setup account.\n"

But the loging using the service principal has been done, if not, the terraform output would not work. Im using the following versions:

Terraform version: 1.4.5
SOPS: 0.7.2
Azurerm: v3.53.0

Obviously the process in my local machine works with any problem. So there is something (configuration...) that SOPS needs in the agent pool to work properly.

Important to say that I pass the needed env variables to the script, I don't do az login explicitly.

- script: |   
              ...
            env:
                ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
                ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
                ARM_TENANT_ID: $(ARM_TENANT_ID)
                ARM_CLIENT_ID: $(ARM_CLIENT_ID)
                TF_VAR_client_id: $(ARM_CLIENT_ID)
                TF_VAR_client_secret: $(ARM_CLIENT_SECRET)
                TF_LOG: DEBUG

Any idea?

[schmichri]

I have the same issue.
My workaround was az login with the service principal upfront the terraform run

 az login --service-principal -u $(ARM_CLIENT_ID) -p $(ARM_CLIENT_SECRET) --tenant $(ARM_TENANT_ID)
 terraform apply -auto-approve

[jplee75]

Also experiencing this issue

[mruoss]

I see a similar but probably related issue. I'm running a GitHub workflow using Azure Workload Identity to authenticate with Azure. The Azure Login step succeeds earlier in the workflow. This fails while it succeeded with version 0.7.2 of this provider.

Group 0: FAILED
  https://***redacted***.vault.azure.net/keys/sops-key/***redacted***: FAILED
    - | failed to decrypt sops data key with Azure Key Vault key
      | 'https://***redacted***.vault.azure.net/keys/sops-key/***redacted***':
      | DefaultAzureCredential authentication failed
      | GET http://169.254.169.254/metadata/identity/oauth2/token
      | --------------------------------------------------------------------------------
      | RESPONSE 400 Bad Request
      | --------------------------------------------------------------------------------
      | ***
      |   "error": "invalid_request",
      |   "error_description": "Identity not found"
      | ***
      | --------------------------------------------------------------------------------

[carlpett]

Is this still an issue? I actually doubt it is related here, but would be good to understand if it is still seen.

[jplee75]

I was using the az login before my apply work around - I can try removing it and run one of my pipelines to see if it still occurs once and get back to you

[jplee75]

Tried commenting my az login out before my TF plan step in my pipeline script and still get errors although the error seems a bit more verbose now
│ Error: Failed to get the data key required to decrypt the SOPS file.
│
│ Group 0: FAILED
│ https://removed: FAILED
│ - | failed to decrypt sops data key with Azure Key Vault key
│ | https://removed:
│ | DefaultAzureCredential: failed to acquire a token.
│ | Attempted credentials:
│ | EnvironmentCredential: missing environment variable
│ | AZURE_TENANT_ID
│ | WorkloadIdentityCredential: no client ID specified. Check
│ | pod configuration or set ClientID in the options
│ | ManagedIdentityCredential: failed to authenticate a system
│ | assigned identity. The endpoint responded with
│ | {"error":"invalid_request","error_description":"Identity not
│ | found"}
│ | AzureCLICredential: ERROR: Please run 'az login' to setup
│ | account.
│ |
│ | AzureDeveloperCLICredential: Azure Developer CLI not found
│ | on path
│
│ Recovery failed because no master key was able to decrypt the file. In
│ order for SOPS to recover the file, at least one key has to be successful,
│ but none were.

[jplee75]

I thought about this a bit last night wondering if this is because terraform is using the $ARM_* env vars and this is probably looking for the $AZURE_* envs for tennant,client, etc.