Search code examples
azureazure-devopsazure-securityazure-secrets

Invalid client secret is provided when using correct and not expired secret


I have Azure App Registration with active secret. enter image description here

I'm trying to obtain token using v1.0 like below (clientId is an ID of the above App Registration)

$body = @{
    grant_type = 'client_credentials';
    client_id = $clientId;
    client_secret = $clientSecret;
    resource = $resourceId;
}

$aadResponse = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$aadtenantId/oauth2/token" -Method POST -Body $body -UseBasicParsing

After regenerating credential using az ad app credential reset --id XXX everything works as expected - token is properly obtained.

However, in Azure Devops I got the following error while getting values from KV enter image description here

Then I'm going to Azure Devops Service Connection and with edit, verify and save I'm able to connect with KV without any further changes. enter image description here

However, this action breaks initially working get of token (as described above).

I'm 100% sure:

  1. Password is correct
  2. I'm really using a password, not its id
  3. Encoding password doesn't help
  4. There is no other action except verify service connection
  5. I'm using Failed to obtain the JWT by using the service principal client ID as a reference to Service Connections

What am I doing wrong?


Solution

  • I can also reproduce your issue on my side.

    enter image description here

    After regenerating the client secret with az ad app credential reset --id XXX, I suppose you should get the error as below when you click the Verify in your service connection Azure Resource Manager using service principal (automatic).

    enter image description here

    As shown on the service connection page, you created it with the automatic way, if you regenerate the client secret, you need to create a new service connection with the manual way to solve the issue.

    enter image description here

    You can obtain the values on the keyvault page and your AAD App page. For the Service principal key, it is the client secret you regenerated, you could not get it again if you didn't save it, if so, you need to regenerate a new one.

    enter image description here

    enter image description here

    After fixing the values, verify and save.

    enter image description here

    Then use the new service connection in the AzureKeyVault@2 task, it works fine.

    enter image description here