Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidAuthenticationTokenAudience with AzureUSGovernment with select modules #836

Closed
cryocaustik opened this issue Apr 27, 2022 · 3 comments
Closed

InvalidAuthenticationTokenAudience with AzureUSGovernment with select modules #836

cryocaustik opened this issue Apr 27, 2022 · 3 comments
Labels
has_pr PR fixes have been made medium_priority Medium priority

Comments

@cryocaustik
Copy link

SUMMARY

Unable to use the Virtual Network module to create or view existing resources when using Azure US Government

Setting the Azure CLI cloud to to "AzureUSGovernment" and authenticating via az login allows creating and viewing resources via the Azure CLI and creating/viewing resource groups through the azure_rm_resourcegroup module, proving that authentication is valid.

Not sure why it is failing once you use the same authentication and setup for the virtual network

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure_rm_virtualnetwork

ANSIBLE VERSION
ansible [core 2.12.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/cryocaustik/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/cryocaustik/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.7 (default, Sep 10 2021, 14:59:43) [GCC 11.2.0]
  jinja version = 3.0.2
  libyaml = True
COLLECTION VERSION
azure.azcollection            1.10.0
CONFIGURATION
none
OS / ENVIRONMENT

OS: Ubuntu 21.10 impish
Kernel: x86_64 Linux 5.13.0-40-generic
Disk: 93G / 220G (45%)
CPU: Intel Core i7-10700K @ 16x 5.1GHz [41.0°C]
GPU: NVIDIA GeForce RTX 3080 Ti
RAM: 5494MiB / 32022MiB

STEPS TO REPRODUCE

Set Azure CLI Cloud to AzureUSGovernment and run the below playbook

---
- name: Create VM with a single instance of Jitsi Meet
  hosts: localhost
  connection: local
  collections:
    - azure.azcollection
  vars_files:
    - variables.yml
  tasks:
    - name: Create resource group
      azure_rm_resourcegroup:
        name: "some-space-rg-virginia"
        location: "usgovvirginia"

    - name: Create virtual network
      azure_rm_virtualnetwork:
        resource_group: "some-space-rg-virginia"
        name: "some-space-vnet-virginia"
        address_prefixes: "11.2.0.0/16"
EXPECTED RESULTS

Task 1 and Task 2 to run successfully and either creating or verifying the existing of the Resource Group and Virtual Network

ACTUAL RESULTS

Task 1 for the resource group runs fine with both creation and verification, but fails on task 2 in creating or verifying the virtual network with an error stating the authentication token is invalid

:cryocaustik: [22-04-26 22:53:04] ➜  azure_rm_issue ansible-playbook ./vm_setup.yml -vvv
ansible-playbook [core 2.12.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/cryocaustik/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/cryocaustik/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.7 (default, Sep 10 2021, 14:59:43) [GCC 11.2.0]
  jinja version = 3.0.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: vm_setup.yml ******************************************************************************************************************************************************************************************************************************************************************************************************************
1 plays in ./vm_setup.yml
Read vars_file 'variables.yml'
Read vars_file 'variables.yml'
Read vars_file 'variables.yml'

PLAY [Create VM with a single instance of Jitsi Meet] ***********************************************************************************************************************************************************************************************************************************************************************************
Read vars_file 'variables.yml'

TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************************************************************************************************
task path: /home/cryocaustik/dev/azure_rm_issue/vm_setup.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: cryocaustik
<127.0.0.1> EXEC /bin/sh -c 'echo ~cryocaustik && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/cryocaustik/.ansible/tmp `"&& mkdir "` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219 `" && echo ansible-tmp-1651038825.0387151-29281-106998388823219="` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219 `" ) && sleep 0'
Using module file /usr/lib/python3/dist-packages/ansible/modules/setup.py
<127.0.0.1> PUT /home/cryocaustik/.ansible/tmp/ansible-local-29273_frmvne6/tmpw9yx7yte TO /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219/ /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.0387151-29281-106998388823219/ > /dev/null 2>&1 && sleep 0'
ok: [localhost]
Read vars_file 'variables.yml'
META: ran handlers
Read vars_file 'variables.yml'

TASK [Create resource group] ************************************************************************************************************************************************************************************************************************************************************************************************************
task path: /home/cryocaustik/dev/azure_rm_issue/vm_setup.yml:10
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: cryocaustik
<127.0.0.1> EXEC /bin/sh -c 'echo ~cryocaustik && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/cryocaustik/.ansible/tmp `"&& mkdir "` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509 `" && echo ansible-tmp-1651038825.8321133-29412-9895550102509="` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509 `" ) && sleep 0'
Using module file /home/cryocaustik/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_resourcegroup.py
<127.0.0.1> PUT /home/cryocaustik/.ansible/tmp/ansible-local-29273_frmvne6/tmp01bfeka4 TO /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509/AnsiballZ_azure_rm_resourcegroup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509/ /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509/AnsiballZ_azure_rm_resourcegroup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509/AnsiballZ_azure_rm_resourcegroup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038825.8321133-29412-9895550102509/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => {
    "changed": true,
    "contains_resources": false,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "append_tags": true,
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "force_delete_nonempty": false,
            "location": "usgovvirginia",
            "log_mode": null,
            "log_path": null,
            "name": "some-space-rg-virginia",
            "password": null,
            "profile": null,
            "secret": null,
            "state": "present",
            "subscription_id": null,
            "tags": null,
            "tenant": null
        }
    },
    "state": {
        "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/some-space-rg-virginia",
        "location": "usgovvirginia",
        "name": "some-space-rg-virginia",
        "provisioning_state": "Succeeded",
        "tags": null
    }
}
Read vars_file 'variables.yml'

TASK [Create virtual network] ***********************************************************************************************************************************************************************************************************************************************************************************************************
task path: /home/cryocaustik/dev/azure_rm_issue/vm_setup.yml:15
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: cryocaustik
<127.0.0.1> EXEC /bin/sh -c 'echo ~cryocaustik && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/cryocaustik/.ansible/tmp `"&& mkdir "` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310 `" && echo ansible-tmp-1651038827.9707766-29448-122900162523310="` echo /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310 `" ) && sleep 0'
Using module file /home/cryocaustik/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py
<127.0.0.1> PUT /home/cryocaustik/.ansible/tmp/ansible-local-29273_frmvne6/tmp3e57oe8n TO /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/ /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py", line 107, in <module>
    _ansiballz_main()
  File "/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualnetwork', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualnetwork', _modlib_path=modlib_path),
  File "/usr/lib/python3.9/runpy.py", line 210, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py", line 386, in <module>
  File "/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py", line 382, in main
  File "/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py", line 237, in __init__
  File "/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 465, in __init__
  File "/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py", line 264, in exec_module
  File "/home/cryocaustik/.local/lib/python3.9/site-packages/azure/mgmt/network/v2021_03_01/operations/_virtual_networks_operations.py", line 213, in get
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File "/home/cryocaustik/.local/lib/python3.9/site-packages/azure/core/exceptions.py", line 105, in map_error
    raise error
azure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenAudience) The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.
Code: InvalidAuthenticationTokenAudience
Message: The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.
fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/cryocaustik/.ansible/tmp/ansible-tmp-1651038827.9707766-29448-122900162523310/AnsiballZ_azure_rm_virtualnetwork.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualnetwork', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_virtualnetwork', _modlib_path=modlib_path),\n  File \"/usr/lib/python3.9/runpy.py\", line 210, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.9/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib/python3.9/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py\", line 386, in <module>\n  File \"/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py\", line 382, in main\n  File \"/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py\", line 237, in __init__\n  File \"/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 465, in __init__\n  File \"/tmp/ansible_azure_rm_virtualnetwork_payload_npv7hjw3/ansible_azure_rm_virtualnetwork_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_virtualnetwork.py\", line 264, in exec_module\n  File \"/home/cryocaustik/.local/lib/python3.9/site-packages/azure/mgmt/network/v2021_03_01/operations/_virtual_networks_operations.py\", line 213, in get\n    map_error(status_code=response.status_code, response=response, error_map=error_map)\n  File \"/home/cryocaustik/.local/lib/python3.9/site-packages/azure/core/exceptions.py\", line 105, in map_error\n    raise error\nazure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenAudience) The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.\nCode: InvalidAuthenticationTokenAudience\nMessage: The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@dougalII dougalII mentioned this issue May 17, 2022
Merged
@Fred-sun Fred-sun added has_pr PR fixes have been made medium_priority Medium priority labels May 23, 2022
@cryocaustik
Copy link
Author

hey all - given the fix has been merged, any idea when we will see a release to verify the issue is resolved?

@Fred-sun Fred-sun closed this as completed Aug 5, 2022
@atsai1220
Copy link

atsai1220 commented Oct 5, 2022
edited
Loading

hey all - given the fix has been merged, any idea when we will see a release to verify the issue is resolved?

Running into this issue as well. Is there a date on the horizon we can count on?

Edit:

Temporarily doing this:

---
collections:
...
...
  - name: https://github.com/ansible-collections/azure.git
    type: git
    version: dev

@Fred-sun
Copy link
Collaborator

Fred-sun commented Oct 6, 2022

Hi All, Sorry for not releasing the new version recently, we will release it as soon as possible after the holiday. Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has_pr PR fixes have been made medium_priority Medium priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atsai1220 @cryocaustik @Fred-sun