Using Terraform Unable to authenticate my app via vs code getting 401 error

Question

Using Terraform Unable to authenticate my app via vs code even after giving the right subscription ID, tenant ID, client ID and client secret getting below 401 error

building account: getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '7b1fda96-01aa-4910-ba98-2d5286c1c29d' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.\\r\\nTrace ID: b056db1f-4bbe-4f3d-a32c-85cf15567800\r\nCorrelation ID: 4b925f8a-9674-455b-91f3-81b7468ca4f9\r\nTimestamp: 2022-03-08 13:22:45Z","error_codes":[7000222],"timestamp":"2022-03-08 13:22:45Z","trace_id":"b056db1f-4bbe-4f3d-a32c-85cf15567800","correlation_id":"4b925f8a-9674-455b-91f3-81b7468ca4f9","error_uri":"https://login.microsoftonline.com/error?code=7000222"} Endpoint https://login.microsoftonline.com/cf626e3e-0aa9-4d45-bb03-cc1e22523cf8/oauth2/token?api-version=1.0", resp:(*http.Response)(0x1ae3e960)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net/cf626e3e-0aa9-4d45-bb03-cc1e22523cf8/servicePrincipals?%24filter=appId+eq+%277b1fda96-01aa-4910-ba98-2d5286c1c29d%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0x1ae3e960)}
Note : Getting this issue even after using the recently created client secret

Terraform Code :
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.97.0"
}
}
}

provider "azuread" {
use_microsoft_graph = true
}

provider "azurerm" {
features {}
subscription_id = ""
tenant_id = ""
client_id = ""
client_secret = ""
}

RG Creation

resource "azurerm_resource_group" "bvkrg" {
name = "rg-bvk-01"
location = "east us"
}

After terraform plan getting below error
building account: getting authenticated object ID: listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '*************************************' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.\\r\\nTrace ID: 8e25b9a5-5b8e-4ee3-8f69-ac0d1e716200\r\nCorrelation ID: edc352a6-5f3c-4f9f-8286-56009334f309\r\nTimestamp: 2022-03-09 15:11:12Z","error_codes":[7000222],"timestamp":"2022-03-09 15:11:12Z","trace_id":"8e25b9a5-5b8e-4ee3-8f69-ac0d1e716200","correlation_id":"edc352a6-5f3c-4f9f-8286-56009334f309","error_uri":"https://login.microsoftonline.com/error?code=7000222\"} Endpoint https://login.microsoftonline.com/cf626e3e-0aa9-4d45-bb03-cc1e22523cf8/oauth2/token?api-version=1.0", resp:(*http.Response)(0x1b894050)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:401, Message:"Failed to refresh the Token for request to https://graph.windows.net/cf626e3e-0aa9-4d45-bb03-cc1e22523cf8/servicePrincipals?%24filter=appId+eq+%27820b0a1c-8c02-43e4-8284-3051ac2ae305%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0x1b894050)}

Even though the client secret is not expired it is giving the error stating client secret is expired

Answer 1

Try the following code.

# Configure the Azure provider  
terraform {  
  required_providers {  
    azurerm = {  
      source = "hashicorp/azurerm"  
      version = "2.98.0"  
    }  
  }  
}  
  
provider "azurerm" {  
    version = "2.98.0"  
    subscription_id = "your sub id"  
    client_id       = "your client id"  
    client_secret   = "your client secret"  
    tenant_id       = "your tenant id"  
  features {}  
}  
resource "azurerm_resource_group" "bvkrg" {  
  name     = "rg-bvk-01"  
  location = "east us"  
  
}  

I am able to deploy the RG successfully with the code

----------

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Hi, if you just want to run this from VS code and have the azure portal login, I posted this explaining how to get started and run terraform on vs code: https://youcandowithazure.blog/2022/03/09/getting-started-with-azure-terraform-from-scratch-part-1-install-dev-tools-and-run-your-first-script/

if you launch the vs code terminal and type az login it should let you enter credentials and select subscription
I also have a bare minimums sample code just to test if you have everything installed to run vs code: https://github.com/blucas2016/TerraformPart01
follow the blog to use it.

If you need to use the service principal secret and key, always good to check the latest on the harshicorp site: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret

and make sure your version on the code match the version installed

Answer 3

@vk-8686
Thank you for your post and I apologize for the delayed response!

By looking into your Correlation ID edc352a6... and timestamp 2022-03-09 15:11:12Z, I found that the Client Secret within your application Terraform is expired, which is why you received the error message - AADSTS7000222: The provided client secret keys for app "7b1fda96..." are expired.

To hopefully resolve your issue, can you navigate to:
Azure Active Directory -> App Registrations -> Search for your App Terraform -> Under Manage select Certificates & secrets -> Select + New Client Secret. For more info.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.