Hi. I am trying to configure Azure Key Vault for a pipeline we are using.
Although the OIDC seems to be working fine, “azure-key-vault” secret solver fails.
In the snippet below you can find 2 jobs (one for OIDC and one for Azure Key Vault).
auth:
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://gitlab.XYZ.io
script:
- az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
- az account show
test_key_vault:
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://gitlab.XYZ.io
secrets:
DATABASE_PASSWORD:
token: GITLAB_OIDC_TOKEN
azure_key_vault:
name: 'test_key'
script:
- echo $test_key
While “auth” jobs succeeds and logs look ok for it, the “test_key_vault” job fails with the following output:
Running with gitlab-runner 16.2.0 (782e15da)
on gitlab-runner-XYZ, system ID: XYZ
Resolving secrets00:00
Resolving secret “DATABASE_PASSWORD”…
Using “azure-key-vault” secret resolver…
ERROR: Job failed (system failure): resolving secrets: getting credential failed: invalid tenantID. You can locate your tenantID by following the instructions listed here: Find tenant ID, domain name, user object ID - Partner Center | Microsoft Learn
Setup CI/CD variables:
- AZURE_CLIENT_ID
- AZURE_TENANT_ID
- AZURE_KEY_VAULT_SERVER_URL
Can someone shed a bit more light on what might be the possible cause of this behaviour?