Question - getting an AADSTS700024 error during apply stage when using workload identity federation #63
-
Hi, I'm attempting to use this module to setup pipelines to manage an Azure landing zone implementation. When I invoked the powershell to setup the module, I chose to use WorkloadIdentityFederation for the azure_devops_authentication_scheme parameter as that seemed the way of the future. To kick the tires, I chose just the basic starter module and all seemed to go smoothly until the resulting CD pipeline went to do the actual terraform apply, the apply seemed to time out after about 5 minutes with an AADSTS700024 "Client assertion is not within its valid time range" error. There was a bit of a delay in actually getting the approval between the plan and apply stage of the pipeline and from what I understand, since the WIF OIDC token is given as an command line backend option, that value is cached in the terraform environment/plan. I suspect similar to the following reports on the azure pipeline terraform tasks: microsoft/azure-pipelines-terraform#201 So my question is, is there some configuration I'm missing? Does this seem like the right diagnosis for what is going on? It would seem beneficial for each terraform task in a pipeline to get a fresh token - is there a way to actually do this? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
Hi. Good question. We will take a look at using env vars for init instead of the cli options, as believe this is the root cause. It appears the token gets cached in the tfplan file when using cli options. Clearly not a great design for this use case. I know my colleague had some issues with this approach, but hopefully can figure it out. We actually removed our dependency on the DevLabs task today, but still using CLI args, so doubt it will resolve the issue. But it means we can easily switch to env vars if they work. |
Beta Was this translation helpful? Give feedback.
-
For confirmation, this is now resolved in v0.1.6: https://github.com/Azure/alz-terraform-accelerator/releases/tag/v0.1.6 I ran a test that waited for over 8 hours and successfully applied with the updated pipeline templates using WIF. |
Beta Was this translation helpful? Give feedback.
For confirmation, this is now resolved in v0.1.6: https://github.com/Azure/alz-terraform-accelerator/releases/tag/v0.1.6
I ran a test that waited for over 8 hours and successfully applied with the updated pipeline templates using WIF.