azure_keyvault_secret lookup might be broken

[pat-s]

SUMMARY

lookup('azure.azcollection.azure_keyvault_secret' doesn't seem to work, no matter the auth method.

ISSUE TYPE

• Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.18.1]

COLLECTION VERSION

3.1.0

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

Tried to authenticate via az login, via explicit credentials (client_id, secret, tenant_id`) or env vars. All fail. Each of them with slighltly different methods

lookup('azure.azcollection.azure_keyvault_secret', 'secret', vault_url='<vault url>')

lookup('azure.azcollection.azure_keyvault_secret', 'secret', client_id='<client_id>',tenant_id='<tenant_id>',secret='<secret>',vault_url='<vault url>')

Yes, I can query secrets in the respective key vault and the credentials are correct.
I am Key vault admin and the credentials are used in other automation workflows.

EXPECTED RESULTS

Authentication works and secrets are returned.

ACTUAL RESULTS

# env var auth
FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'NameError'>, original message: name 'DefaultAzureCredential' is not defined. name 'DefaultAzureCredential' is not defined"}

# keyword auth
FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'NameError'>, original message: name 'ClientSecretCredential' is not defined. name 'ClientSecretCredential' is not defined"}

[kandrew5]

I facing the same problem

EDIT:
It was related to the python version I has installed. Once I changed to a supported one, it worked

[olljanat]

FYI, I ended up to this issue because having two versions of azure.azcollection installed and had installed requirements from old one.

You can easily check if that is the case in your environment with command ansible-galaxy collection list

[pat-s]

So, what are the problematic downstream dependencies then which need to be updated? Didn't have a change yet to test again but will do again soonish.

[Fred-sun]

@pat-s @olljanat According to the error, the 'DefaultAzureCredential' and 'ClientSecretCredential' was not imported successfully, Can you check whether ‘azure-identity'’ is installed in your environment? Thank you very much!

[misterpoulet]

I also hit this problem, and I think there's something wrong with how TOKEN_ACQUIRED is set.

I'm using a service principle, not MSI, and yet the lookup insists on using MSI authentication.

PLAY [test_az_keyvault] ********************************************************
Friday 10 January 2025  19:20:57 +0000 (0:00:00.020)       0:00:00.020 ******** 
exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/lookup/azure_keyvault_secret.py", line 212, in run
    ret.append(secret_res.json()["value"])
KeyError: 'value'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 865, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
  File "/usr/share/ansible/collections/ansible_collections/azure/azcollection/plugins/lookup/azure_keyvault_secret.py", line 214, in run
    raise AnsibleError('Failed to fetch secret ' + term + '.')
ansible.errors.AnsibleError: Failed to fetch secret mykey-key1.

TASK [Displaying the result of the keyvault_keys] ******************************
task path: /etc/ansible/tooling-ansible/test_az_keyvault.yml:23
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'azure.azcollection.azure_keyvault_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed to fetch secret mykey-key1.. Failed to fetch secret mykey-key1."
}

PLAY RECAP *********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
Friday 10 January 2025  19:20:58 +0000 (0:00:00.812)       0:00:00.832 ******** 
=============================================================================== 
Displaying the result of the keyvault_keys ------------------------------ 0.81s

I was able to solve this problem by specifying use_msi=false

[Fred-sun]

@pat-s Do your problems still exist? Whether the test has installed azure-identity (azcollection/requirements.txt)? Thank you!

[pat-s]

I'll have a look soon and will report back what I found. Thanks already to everyone participating here so far.

[Ratanavery]

facing this issue with msi at this point in time...

is this something intermittent as I remember the same error last week but later vanished but now again facing the same issue!!!

[Fred-sun]

@Ratanavery @misterpoulet Judging from your error and my process of reproducing the problem, it is not a bug。 You need to add access policy to your MSI VM. You can refer to connect (https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal), thank you.

 The following information is displayed for adding an access policy:
ok: [localhost] => {
    "ansible_facts": {
        "object_id": "mysecret"
    },
    "changed": false
}