Can't delete a Secret from a Vault

[ringods]

What happened?

When deleting a secret from a keyvault, the following error comes up:

error: keyvault.BaseClient#DeleteSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10022: Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com/."

Expected Behavior

Secrets can be created and deleted with the credentials provided by the user.

Steps to reproduce

Run pulumi up with this app:

import * as azure_native from '@pulumi/azure-native';
import * as azure_native_auth from '@pulumi/azure-native/authorization';
import * as pulumi from '@pulumi/pulumi';

// Access the current configuration from Azure
const config = pulumi.output(azure_native_auth.getClientConfig());
const subscriptionId = config.subscriptionId;
const currentObjectId = config.objectId;
const tenantId = config.tenantId;

const rg = new azure_native.resources.ResourceGroup('resourceGroup', {
  location: 'westeurope',
  resourceGroupName: 'rgtest',
});

const vault = new azure_native.keyvault.Vault('vault', {
  location: rg.location,
  properties: {
    accessPolicies: [
      {
        objectId: currentObjectId,
        permissions: {
          keys: [
            'Get',
            'List',
            'Update',
            'Create',
            'Import',
            'Delete',
            'Recover',
            'Backup',
            'Restore',
            'GetRotationPolicy',
            'SetRotationPolicy',
            'Rotate',
            'Encrypt',
            'Decrypt',
            'UnwrapKey',
            'WrapKey',
            'Verify',
            'Sign',
            'Purge',
            'Release',
          ],
          secrets: [
            'get',
            'list',
            'set',
            'delete',
            'recover',
            'backup',
            'restore',
            'purge',
          ],
          certificates: [
            'get',
            'list',
            'update',
            'create',
            'import',
            'delete',
            'recover',
            'backup',
            'restore',
            'managecontacts',
            'manageissuers',
            'getissuers',
            'listissuers',
            'setissuers',
            'deleteissuers',
            'purge',
          ],
        },
        tenantId: tenantId,
      },
    ],
    enabledForDeployment: true,
    enabledForDiskEncryption: true,
    enabledForTemplateDeployment: true,
    enablePurgeProtection: true,
    enableSoftDelete: true,
    sku: {
      family: 'A',
      name: azure_native.keyvault.SkuName.Standard,
    },
    tenantId: tenantId,
  },
  resourceGroupName: rg.name,
  vaultName: 'sample-vault-27123123123',
});

const secret = new azure_native.keyvault.Secret('secret', {
  properties: {
    value: 'secret-value',
  },
  resourceGroupName: rg.name,
  secretName: 'secret-name',
  vaultName: vault.name,
});

Then run pulumi destroy. Using az login for the credentials leads to the error reported.

Output of pulumi about

CLI          
Version      3.62.0
Go Version   go1.20.2
Go Compiler  gc

Plugins
NAME          VERSION
azure-native  1.99.1
nodejs        unknown

Host     
OS       darwin
Version  13.3
Arch     arm64

This project is written in nodejs: executable='/Users/ringods/.volta/bin/node' version='v16.19.1'

Current Stack: team-ce/keyvault-delete-secret/ringo

TYPE                                  URN
pulumi:pulumi:Stack                   urn:pulumi:ringo::keyvault-delete-secret::pulumi:pulumi:Stack::keyvault-delete-secret-ringo
pulumi:providers:azure-native         urn:pulumi:ringo::keyvault-delete-secret::pulumi:providers:azure-native::default_1_99_1
azure-native:resources:ResourceGroup  urn:pulumi:ringo::keyvault-delete-secret::azure-native:resources:ResourceGroup::resourceGroup
azure-native:keyvault:Vault           urn:pulumi:ringo::keyvault-delete-secret::azure-native:keyvault:Vault::vault
azure-native:keyvault:Secret          urn:pulumi:ringo::keyvault-delete-secret::azure-native:keyvault:Secret::secret


Found no pending operations associated with team-ce/ringo

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/ringods
User           ringods
Organizations  ringods, team-ce, pulumiverse, demo

Dependencies:
NAME                  VERSION
@pulumi/azure-native  1.99.1
@pulumi/pulumi        3.62.0
@types/node           16.18.23

Additional context

Stackoverflow answer explaining more about the audience requirement on the token when working with the keyvault APIs:

https://stackoverflow.com/a/60221087

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thecodetinker]

Hi - we've run into exactly this issue when upgrading from 1.98.1 to 1.101.0. We're using Managed Identity (ARM_USE_MSI) with the Pulumi Automation API.

Is there anything we need to do our side to support the MSAL/ADAL changes? Would using the Automation API make any difference? Is it a possible regression? Just keen to see if you have any ideas before we spend lots of time trying to figure this out. Thanks!

[thomas11]

Hi @thecodetinker, sorry to hear you're having trouble with the upgrade. Just to double-check: the exact same code and configuration worked with 1.98.1?

I just took another look at the code and couldn't see an obvious issue. It may be something particular to MSI.

[thecodetinker]

Hi, yep no other changes just updated the DLLs. MSI is great but a pain to debug unfortunately. Do you have means of testing MSI there?

[thomas11]

Unfortunately, we don't have automated MSI tests at this point because they'd need to run on Azure while our CI suite runs on GitHub.

I opened #2432 to track this.