Description
Terraform Version
Terraform v1.8.0
on windows_amd64Terraform Configuration Files
"terraform": {
"backend": {
"azurerm": {
"container_name": "tfstates",
"environment": "china",
"key": "prod.terraform.tfstate",
"resource_group_name": "RG_Name",
"storage_account_name": "saaccount",
"use_oidc": true
}
},
"required_providers": {
"azuread": {
"source": "hashicorp/azuread",
"version": "2.50.0"
},
"azurerm": {
"source": "azurerm",
"version": "3.99.0"
}
}
},
"provider": {
"azuread": [
{
"environment": "china",
"use_oidc": true
}
],
"azurerm": [
{
"environment": "china",
"features": {
},
"use_oidc": true
}
]
}Debug Output
Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "saaccount": autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: 4e74bc4f-80b6-434d-aba7-73c124dc5800 Correlation ID: 61f558e1-841a-4b19-96af-5ddadc2c3cb6 Timestamp: 2024-08-14 13:37:59Z","error_codes":[700212],"timestamp":"2024-08-14 13:37:59Z","trace_id":"4e74bc4f-80b6-434d-aba7-73c124dc5800","correlation_id":"61f558e1-841a-4b19-96af-5ddadc2c3cb6"}
Expected Behavior
It should be able to authenticate
Actual Behavior
It's failing in authentication and the reason looks like due to wrong assertion audience.
Because for Azure China Cloud default assertion audience for federated credential is api://AzureADTokenExchangeChina in EntraId where as as per above logs it's trying to use 'api://AzureADTokenExchange' assertion audience while looking for federated credentials.
Steps to Reproduce
- terraform init
Additional Context
No response
References
No response