[gov cloud] Not able to fetch secrets from Azure US Gov - AADSTS900382: Confidential Client is not supported in Cross Cloud

[bhagathkumar]

Your checklist for this issue

• [ x] Jenkins version : 2.249.1

• [x ] Plugin version : 2.0

• [x ] OS : RHEL7

Description

When configuring key vault from Azure US gov .Test connection gives below error.

Max retries 3 times exceeded. Error Details: AADSTS900382: Confidential Client is not supported in Cross Cloud request.
Trace ID: xxxxx
Correlation ID: xxxxx
Timestamp: 2020-10-12 10:09:35Z
com.microsoft.aad.msal4j.MsalServiceException: AADSTS900382: Confidential Client is not supported in Cross Cloud request.

Trace ID: xxxxx

Correlation ID: xxxxx

Timestamp: 2020-10-12 10:09:35Z
at com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:46)
at com.microsoft.aad.msal4j.TokenRequest.executeOauthRequestAndProcessResponse(TokenRequest.java:109)
at com.microsoft.aad.msal4j.ClientApplicationBase.acquireTokenCommon(ClientApplicationBase.java:163)
at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:52)
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:57)

But key vault from azure cloud. I am able to test the connection as well as retrieve the secrets.

[timja]

@xuzhang3 any idea?

[bhagathkumar]

I think AzureCredentialBuilder() is changed in com.azure:azure-identity 1.1.0 which include the support for azure gov subscriptions.

Ref:
https://blog.jongallant.com/2020/02/azure-identity-other-clouds/
https://stackoverflow.com/questions/62052854/how-connect-to-azure-key-vault-from-java-backend-using-azure-java-sdk

[timja]

ah sure, try set that environment variable otherwise PRs are welcome.

[bhagathkumar]

Tried with setting environment variable for jenkins runtime

option1 ,AZURE_AUTHORITY_HOST="https://login.microsoftonline.us"

option2, AZURE_AUTHORITY_HOST=https://login.microsoftonline.us

In Both ways.Its not working.
Got the same error message.

[timja]

where were you setting it?
I would expect you need to set it before Jenkins starts, maybe in pipeline it could work.

[bhagathkumar]

I am running jenkins as Docker .

Setting the environment variable in docker-compose.yml as below.

environment:

• AZURE_AUTHORITY_HOST="https://login.microsoftonline.us"

[bhagathkumar]

after setting in docker-compose.yml also .I am getting same error.
Is there any other fixes i can try?

[lovleshmalik]

I am also getting the similar error on Azure GovCloud. @bhagathkumar any luck solving this?

[timja]

@lovleshmalik @bhagathkumar
Can either of you try on https://github.com/jenkinsci/azure-keyvault-plugin/releases/tag/120.v42d9117f490e

I did some improvements in the azure-credentials plugin to resolve the environment properly I think, but I have no way of testing it

[bkarlow-optimo]

I am seeing this same error.

Has anyone made progress on a fix?

[timja]

this really needs someone with a us gov account to do it.

Are you seeing the same stacktrace @bkarlow-optimo ?

Have you configured a us gov endpoint on your credential?

[bkarlow-optimo]

Yes, same.

[aktiver]

The new-ish api also uses "https://management.core.usgovcloudapi.net" for its endpoint