Failed to create Azure authorizer in a specific agent pool in Azure Devops

[mgvinuesa]

Hello,

I have a very strange error using sops provider in my terraform pipelines.
While the terraform itself can retrieve the values the Key needed for work with the file, the SOPS provider can't, giving me the following error

2023-04-24T10:29:04.932Z [ERROR] vertex "data.sops_file.charset" error: Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  <kid of the key>: FAILED
    - | Invoking Azure CLI failed with the following error: ERROR:
      | Please run 'az login' to setup account.


Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
2023-04-24T10:29:04.932Z [ERROR] vertex "data.sops_file.charset (expand)" error: Failed to get the data key required to decrypt the SOPS file.

It is important to note that adding this in my terraform file:

data "azurerm_key_vault_key" key" {
  name         = "<KEY NAME>"
  key_vault_id = data.azurerm_key_vault.keyvault_connections.id
}

output "KeyId" {
  value = data.azurerm_key_vault_key.key.id
}

it works properly, retrieving the key id.
If I put terraform in DEBUG I only can see the following line:

2023-04-24T10:29:04.931Z [DEBUG] provider.terraform-provider-sops_v0.7.2: [AZKV] time="2023-04-24T10:29:04Z" level=error msg="Failed to create Azure authorizer" error="Invoking Azure CLI failed with the following error: ERROR: Please run 'az login' to setup account.\n"

But the loging using the service principal has been done, if not, the terraform output would not work. Im using the following versions:

Terraform version: 1.4.5
SOPS: 0.7.2
Azurerm: v3.53.0

Obviously the process in my local machine works with any problem. So there is something (configuration...) that SOPS needs in the agent pool to work properly.

Important to say that I pass the needed env variables to the script, I don't do az login explicitly.

- script: |   
              ...
            env:
                ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
                ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
                ARM_TENANT_ID: $(ARM_TENANT_ID)
                ARM_CLIENT_ID: $(ARM_CLIENT_ID)
                TF_VAR_client_id: $(ARM_CLIENT_ID)
                TF_VAR_client_secret: $(ARM_CLIENT_SECRET)
                TF_LOG: DEBUG

Any idea?

[schmichri]

I have the same issue.
My workaround was az login with the service principal upfront the terraform run

 az login --service-principal -u $(ARM_CLIENT_ID) -p $(ARM_CLIENT_SECRET) --tenant $(ARM_TENANT_ID)
 terraform apply -auto-approve

[jplee75]

Also experiencing this issue

[mruoss]

I see a similar but probably related issue. I'm running a GitHub workflow using Azure Workload Identity to authenticate with Azure. The Azure Login step succeeds earlier in the workflow. This fails while it succeeded with version 0.7.2 of this provider.

Group 0: FAILED
  https://***redacted***.vault.azure.net/keys/sops-key/***redacted***: FAILED
    - | failed to decrypt sops data key with Azure Key Vault key
      | 'https://***redacted***.vault.azure.net/keys/sops-key/***redacted***':
      | DefaultAzureCredential authentication failed
      | GET http://169.254.169.254/metadata/identity/oauth2/token
      | --------------------------------------------------------------------------------
      | RESPONSE 400 Bad Request
      | --------------------------------------------------------------------------------
      | ***
      |   "error": "invalid_request",
      |   "error_description": "Identity not found"
      | ***
      | --------------------------------------------------------------------------------