Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Service Used
Azure Container Apps
API Versions Used
2019-08-01
Description
Making use of the new variable introduced in the PR #1207 still comes up with the error below.
2025-07-01T02:55:37.416Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: plugin address: address=/tmp/plugin886175671 network=unix timestamp=2025-07-01T02:55:37.416Z
2025-07-01T02:55:37.485Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] Configuring built-in cloud environment by name: "public"
2025-07-01T02:55:37.486Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] Performing GET Request to "http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com"
2025-07-01T02:55:37.486Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] GET http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com
2025-07-01T02:55:37.488Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] Reading Body from GET "http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com"
2025-07-01T02:55:37.488Z [ERROR] provider.terraform-provider-azurerm_v4.34.0_x5: Response contains error diagnostic: tf_req_id=04e51eb5-ae5e-fcaf-7bde-4daba06ff0a7 @caller=github.com/hashicorp/terraform-plugin-go@v0.26.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR tf_proto_version=5.8 tf_provider_addr=registry.terraform.io/hashicorp/azurerm tf_rpc=Configure @module=sdk.proto diagnostic_summary="building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body: " timestamp=2025-07-01T02:55:37.488Z
2025-07-01T02:55:37.489Z [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body:
2025-07-01T02:55:37.489Z [WARN] Planning encountered errors, so plan is not applyable
2025-07-01T02:55:37.489Z [INFO] backend/local: refresh calling Refresh
╷
│ Warning: Empty or non-existent state
│
│ There are currently no remote objects tracked in the state, so there is nothing to refresh.
╵
╷
│ Error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body:
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 23, in provider "azurerm":
│ 23: provider "azurerm" {
│
╵
2025-07-01T02:55:37.490Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-07-01T02:55:37.493Z [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/azurerm/4.34.0/linux_amd64/terraform-provider-azurerm_v4.34.0_x5 id=1428
2025-07-01T02:55:37.493Z [DEBUG] provider: plugin exitedThis is because the X-IDENTITY-HEADER is missing when authenticating. Using a curl without the header produces 403 error, but with the header is successful. I believe this is the same thing requested in hashicorp/terraform#37268 for the backend
References
https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cpowershell#tabpanel_3_powershell
https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Chttp#tabpanel_3_http
Metadata
Metadata
Assignees
Labels
No labels