Issue with pac connector and key vault secrets

[Hjaf]

I'm trying to update a connector the variables and secrets are defined in the environment. The normal variables are applied successfully, however the secret variable encounters an error:

$ pac connector update -df apiDefinition.json -pf apiProperties.json -id 00000000-00...
...
Version: 1.39.3+g0f45f92
Online documentation: https://aka.ms/PowerPlatformCLI
Feedback, Suggestions, Issues: https://github.com/microsoft/powerplatform-build-tools/discussions

Error: Error occured while reading secret: principal
    Error occured while reading secret: principal

apiProperties.json:

{
  "properties": {
    "connectionParameters": {
      "token": {
        "type": "oauthSetting",
        "oAuthSettings": {
          "identityProvider": "aad",
          "clientId": "@environmentVariables(\"xyz_XYZAuthenticationClientId\")",
          "clientSecret": "@environmentVariables(\"xyz_XYZAuthenticationClientSecret\")",
...
}

My user and the dataverse service has the necessary privileges (Key Vault IAM secrets user), and I am able to use the same reference to update the connector via the UI. It seems as if i need to add additional permissions to access the secrets via PAC CLI .

Any suggestions as to what may cause this?

[jvert]

I have this problem as well, although it was working last week. I have multiple environments (testing and production), and I get this error in one environment, but it works fine in another. Both are reading from the same key vault, so it doesn't seem like a permissions issue.

Also "occurred" is spelled wrong which I find equally infuriating.

[ewillman]

I know a "me too" post is not helpful, but I will point out that I can update the connector via the "paconn" CLI, but get the same error "Error occured while reading secret: principal" when using the "pac" CLI. Unfortunately, "paconn" requires an interactive login so cannot be used in the pipeline. So, if anyone understands what the difference is in the underlying implementation of those two CLIs might help to resolve?

In addition to the dataverse identity, I also added the principal that the PowerPlatform BuildTools Service Connection is using as a "Secret User" to the keyvault, but still get the same error.

I also tried updating the connector using the dataverse webapi (using the same credentials injected by the BuildTools) instead of the CLI, and get a generic 500 server error response. I will note that both CLIs and the webapi work as expected if I replace the @environmentVariables("variableName") references with hardcoded literal values.

[ewillman]

I can confirm that the problem exists in the underlying pac connector update command, not with the wrapper. Using the same command and files as I was using the pipeline, On my local machine, I can execute this command successfully if there are no @environmentVariables references in the apiproperties file, but as soon as I add a single keyvault-connected @environmentVariables reference to the apiproperties file, I get the above mentioned "Error occured while reading secret: principal". Using the same user login, I can successfully set that keyvault-connected @environmentVariables reference through the User Interface, so it is not a permission issue.
Also, interestingly, if I add the keyvault-connected @environmentVariables reference through the User Interface, and then attempt to update the connector through the CLI pac connector update command without a apiproperties parameter, I get the same Error. So it seems that the CLI just doesn't like keyvault-connected environment variables in any scenario