terraform-provider-azurerm: v3.0.1: azurerm_key_vault: Cannot read the ressource with KeyVault: keyvault.BaseClient#GetCertificateContacts

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.1.7 azurerm v3.0.1

Affected Resource(s)

azurerm_key_vault

Expected Behaviour

No error

Actual Behaviour

Cannot read the ressource with `KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 – Original Error: context deadline exceeded

Steps to Reproduce

Create a keyvault with v2:

resource "azurerm_key_vault" "mykeyvault" {
  name                = "mykeyvault"
  sku_name            = "standard"
  location            = "myloc"
  resource_group_name = "myrg"
  tenant_id           = "mytenant"
  purge_protection_enabled = true
}

with v3, do a terraform plan

Important Factoids

Since v3, azurerm is trying to fetch “contact” from KeyVault and for some reason, the access is timing out. I’ve tried adding ManagedContacts permission but no luck.

Using same credentials, I can access the API without isuse.

az rest --method GET --uri "https://mykeyvault.vault.azure.net/certificates/contacts?api-version=7.1" --resource "https://vault.azure.net"
Not Found({"error":{"code":"ContactsNotFound","message":"Contacts not found"}})

#0000

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 37
Comments: 32 (15 by maintainers)

Commits related to this issue

Update go-azure-helpers to v0.27.0 (#16078) Fixes the authorizer was not an auth.CachedAuthorizer for https://vault.azure.net error reported in #16052 — committed to hashicorp/terraform-provider-azurerm by manicminer 2 years ago

Most upvoted comments

I have a similar issue. Simply referencing a certificate in a key vault causes the plan to fail

`data "azurerm_key_vault" "keyVault" {
  name                = "XXX"
  resource_group_name = "YYY"
}

# Get ID for latest certificate version in KV
data "azurerm_key_vault_secret" "certificate" {
  name         = "ZZZ"
  key_vault_id = data.azurerm_key_vault.keyVault.id
}

The plan command fails (after a long while) with the following error:


╷
│ Error: making Read request on Azure KeyVault Secret <name redacted>: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: authorizer was not an auth.CachedAuthorizer for https://vault.azure.net
│ 
│   with data.azurerm_key_vault_secret.certificate,
│   on subscription.tf line 13, in data "azurerm_key_vault_secret" "certificate":
│   13: data "azurerm_key_vault_secret" "certificate" {
│ 
╵
Releasing state lock. This may take a few moments...

noiano on Mar 25, 2022

I have these both issues as well. Had to roll back to provider 2.99.0

kovaliovsg on Mar 25, 2022

@manicminer glad you found the key, I promptly broke my terraform config after hitting this bug (developing something else, this was non-blocking for the moment) and also (like an idiot) deleted the debug log so couldn’t reproduce quickly enough.

I am using Azure CLI authentication.

djryanj on Mar 25, 2022

@manicminer i do and i’m pretty sure i’m not the only one. I’m using “plain” Azure Subscription not a USGovernment

xinity on Apr 18, 2022

I believe this issue may be related to use_msal = true (which is now on by default in azurerm >= 3.0).

Works: v2.99 with `use_msal= false`

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.99"
    }
  }
}

provider "azurerm" {
  features {}

  use_msal = false
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "this" {
  name     = "V299ADAL"
  location = "westus2"
}

resource "azurerm_key_vault" "this" {
  name                = "v299adal-kv"
  location            = resource.azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

Output:

azurerm_key_vault.this: Still creating... [2m30s elapsed]
azurerm_key_vault.this: Creation complete after 2m34s [id=/subscriptions/***/resourceGroups/V299ADAL/providers/Microsoft.KeyVault/vaults/v299adal-kv]

Fails: v2.99 with `use_msal = true`

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.99"
    }
  }
}

provider "azurerm" {
  features {}

  use_msal = true
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "this" {
  name     = "V299MSAL"
  location = "westus2"
}

resource "azurerm_key_vault" "this" {
  name                = "v299msal-kv"
  location            = resource.azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

Output:

azurerm_key_vault.this: Still creating... [7m30s elapsed]
╷
│ Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│
│   with azurerm_key_vault.this,
│   on main.tf line 23, in resource "azurerm_key_vault" "this":
│   23: resource "azurerm_key_vault" "this" {
│
╵

FWIW, I’m not getting a failure to create this key_vault with azurerm 3.1.0. However, I wanted to paste my findings above since it seemed to be the exact same error message from the OP, and in case it provides a clue to where the problem may be.

bgrainger on Apr 12, 2022

@eoly Thanks for the log, that’s super helpful 👍

Anyone else, please kindly refrain from posting +1 comments and instead upvote the issue. Debug logs are always happily received!

manicminer on Mar 25, 2022

@manicminer

Here are my TF_DEBUG logs. I have the context deadline exceeded issue too.

Using Azure CLI auth.

https://gist.github.com/eoly/702d9e6da370cd946372bce3677db830

eoly on Mar 25, 2022

Sorry no logs since I reverted back.

I’m also using Azure CLI authentication

cmendible on Mar 25, 2022

I just ran into a similar issue with azurerm_key_vault_secret data source

Error: making Read request on Azure KeyVault Secret test-secret: autorest/Client#Do: 
Preparing request failed: StatusCode=0 -- Original Error: failed to acquire MSAL token

Error: keyvault.BaseClient#GetKey: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded

I see this for both v3.0.0 and v3.0.1

nbjohnson on Mar 28, 2022