How to update the client secret for Service Principle on Azure
Article ID: 293891
Updated On:
Products
Operations Manager
Issue/Introduction
When you install VMware Tanzu Application Service (TAS) for VMs on Azure, you created your client secret for Service Principle with the following kind of az CLI.
"PASSWORD" in the command above is the password of your client secret for Service Principle, which you set in Client Secret form of Azure Config on BOSH Director tile of Operations Manager (Ops Manager). This client secret has expiration date, which is 1 year by default.
If you continue to use TAS for VMs without updating this client secret and it's expired, then you will see the following kind of error and it will fail with any operations involving CPI calls to Azure such as creating VMs and so on.
As you can see below, it says "The provided client secret keys are expired."
This article introduces how to update the client secret for Service Principle on Azure, without any impacts on existing TAS for VMs configurations, existing running applications and so on.
az ad app create --display-name "Service Principal for BOSH" \ --password "PASSWORD" --homepage "http://BOSHAzureCPI" \ --identifier-uris "http://BOSHAzureCPI"
"PASSWORD" in the command above is the password of your client secret for Service Principle, which you set in Client Secret form of Azure Config on BOSH Director tile of Operations Manager (Ops Manager). This client secret has expiration date, which is 1 year by default.
If you continue to use TAS for VMs without updating this client secret and it's expired, then you will see the following kind of error and it will fail with any operations involving CPI calls to Azure such as creating VMs and so on.
As you can see below, it says "The provided client secret keys are expired."
Task 8414 | 05:11:29 | Creating missing vms: uaa/be21d2ef-2e76-4a74-8b9d-00ae1c5c70fc (0) (00:00:16)
L Error: Unknown CPI error 'Bosh::AzureCloud::AzureError' with message 'get_token - http
code: 401. Azure authentication failed: Invalid tenant_id, client_id or client_secret/certificate. Error
message: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret
keys are expired.\r\nTrace ID: be21d2ef-8b49-4167-91b7-ccabbbbb0700\r\nCorrelation ID:
be21d2ef-6a56-4a35-ae12-5893f1e2e8ad\r\nTimestamp: 2020-01-17 05:11:29Z","error_codes":
[7000222],"timestamp":"2020-01-17 05:11:29Z","trace_id":"be21d2ef-8b49-4167-91b7-
ccabbbbb0700","correlation_id":"be21d2ef-6a56-4a35-ae12-5893f1e2e8ad"}' in 'create_vm' CPI
method (CPI request ID: 'cpi-935924’)
This article introduces how to update the client secret for Service Principle on Azure, without any impacts on existing TAS for VMs configurations, existing running applications and so on.
Environment
Product Version: Other
OS: Azure
OS: Azure
Resolution
After logging on Azure with your account used for TAS for VMs deployment by the 'az login' command, execute the following command from your console:
Where:
az ad sp credential reset --name "APPLICATION_ID" --credential-description "DESCRIPTION" \ --years "EXPIRATION_DATE" --password "PASSWORD"
Where:
- "APPLICATION_ID" : your application (clinet) ID for your TAS for VMs deployment, which has been created via 'az ad app create' as 'appId'.
- "DESCRIPTION" : this is optional but you can add description for the client secret, less than 16 characters.
- "EXPIRATION_DATE" : Number of years for which the credentials will be valid. Default: 1 year.
- "PASSWORD" : the existing password of your client secret for Service Principle, which you set in Client Secret form of Azure Config on BOSH Director tile of Ops Manager.
Feedback
Yes
No
Powered by
