We are having issues deploying a BICEP template with Azure CLI in our CI/CD pipeline using a client secret authentication method. The previous key had expired, so we cycled the client secret, added it to the Key Vault for our test environment, and attempted to deploy, but we keep getting the error message:
ERROR: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'. Trace ID: '***' Correlation ID: '***' Timestamp: 2024-05-03 09:21:06Z
We have cycled the keys a few times, but we cannot identify what the problem is. We use the following command in our YAML file to deploy:
- task: AzureCLI@2
displayName: Deploy infrastructure
inputs:
azureSubscription: ${{ parameters.subscriptionName }}
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "IP: $(BuildAgentIP.address)"
OUT=$(az deployment group create --resource-group ${{ parameters.resourceGroupName }} --template-file ${{ parameters.bicepTemplateFile }} --parameters ${{ parameters.bicepTemplateParametersFile }} --parameters agentIpAddress="$(BuildAgentIP.address)" ${{ parameters.additionalAzureCliArguments }} --mode ${{ parameters.azureDeployMode }} --debug | jq -cM .properties.outputs)
echo "##vso[task.setVariable variable=DEPLOYMENTOUTPUT]$OUT"
echo "Set pipeline variable 'DEPLOYMENTOUTPUT' to: $OUT"
The az deployment group create command automatically logs in, and we do not pass any parameters to have it log in to perform the deployment. We have tried logging in during this argument, but the AzureCli@2 job we are using seems to log in using something else, which means we cannot actually force it to log in using the necessary credentials. This was not an issue until the keys expired.
Passing in any additional arguments such as --debug doesn’t work as we can’t even start this deployment command as the azure login fails.
One thing to note is that if I use AZ CLI from my machine with the App Id and client secret it does authenticate correctly, so I know the credentials themselves are okay.
Is there a way to log which key is being used and which app is being deployed? We are wondering if we have crossed the beams somewhere along the way. Also, is there anywhere else that we need to update the client secret? We have updated it in the App Registration and then the Key Vault. Is there anything else that we might have missed?
Alternatively, is there a way we can deploy using this method without needing to use client secrets? We tried certificates but hit a wall there, too.