Azure Key Vault secrets in pipeline, invalid tenantID

Hi. I am trying to configure Azure Key Vault for a pipeline we are using.

Although the OIDC seems to be working fine, “azure-key-vault” secret solver fails.

In the snippet below you can find 2 jobs (one for OIDC and one for Azure Key Vault).

auth:
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.XYZ.io
  script:
    - az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
    - az account show

test_key_vault:
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.XYZ.io
  secrets:
    DATABASE_PASSWORD:
      token: GITLAB_OIDC_TOKEN
      azure_key_vault:
        name: 'test_key'
  script:
    - echo $test_key

While “auth” jobs succeeds and logs look ok for it, the “test_key_vault” job fails with the following output:

Running with gitlab-runner 16.2.0 (782e15da)
on gitlab-runner-XYZ, system ID: XYZ
Resolving secrets00:00
Resolving secret “DATABASE_PASSWORD”…
Using “azure-key-vault” secret resolver…
ERROR: Job failed (system failure): resolving secrets: getting credential failed: invalid tenantID. You can locate your tenantID by following the instructions listed here: Find tenant ID, domain name, user object ID - Partner Center | Microsoft Learn

Setup CI/CD variables:

  • AZURE_CLIENT_ID
  • AZURE_TENANT_ID
  • AZURE_KEY_VAULT_SERVER_URL

Can someone shed a bit more light on what might be the possible cause of this behaviour?

Hi,

since you are using a paid feature I suggest to raise this with support.gitlab.com where you often get more qualified and faster reply from GitLab support team.

This is only a community forum and not an official support channel.