Issue deploying using Azure CLI with client secret authentication in an Azure DevOps YAML file

Jack Lazenby 20 Reputation points
2024-05-03T13:39:38.1066667+00:00

We are having issues deploying a BICEP template with Azure CLI in our CI/CD pipeline using a client secret authentication method. The previous key had expired, so we cycled the client secret, added it to the Key Vault for our test environment, and attempted to deploy, but we keep getting the error message:

ERROR: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'. Trace ID: '***' Correlation ID: '***' Timestamp: 2024-05-03 09:21:06Z

We have cycled the keys a few times, but we cannot identify what the problem is. We use the following command to deploy:

OUT=$(az deployment group create --resource-group ${{ parameters.resourceGroupName }} --template-file ${{ parameters.bicepTemplateFile }} --parameters ${{ parameters.bicepTemplateParametersFile }} --parameters agentIpAddress="$(BuildAgentIP.address)" ${{ parameters.additionalAzureCliArguments }} --mode ${{ parameters.azureDeployMode }} | jq -cM .properties.outputs)

The az deployment group create command automatically logs in, and we do not pass any parameters to have it log in to perform the deployment. We have tried logging in during this argument, but the AzureCli@2 job we are using seems to log in using something else, which means we cannot actually force it to log in using the necessary credentials. This was not an issue until the keys expired.

Passing in any additional arguments such as --debug doesn't work as we can't even start this deployment command as the azure login fails.

One thing to note is that if I use AZ CLI from my machine with the App Id and client secret it does authenticate correctly, so I know the credentials themselves are okay.

Is there a way to log which key is being used and which app is being deployed? We are wondering if we have crossed the beams somewhere along the way. Also, is there anywhere else that we need to update the client secret? We have updated it in the App Registration and then the Key Vault. Is there anything else that we might have missed?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,350 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 30,191 Reputation points Microsoft Employee
    2024-05-07T03:09:53.98+00:00

    Hi @Jack Lazenby ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    User's image

    Thanks

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Jack Lazenby 20 Reputation points
    2024-05-03T15:17:25.32+00:00

    I have managed to resolve this by changing to use a Powershell script and passing in the creds instead of relying on them being picked up in the Azure@CLI2 task.

    0 comments No comments

  2. Miles Barnard 0 Reputation points
    2025-01-02T10:27:59.98+00:00

    A workaround for this not involving Powershell is to regenerate the service principal secret with no name, valid for 6 months, save and try again.

    I suspect it's caused when you delete the old secret before regenerating a new one.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.