How to update client secret in azure cloud credentials

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4.x
  • OpenShift on Azure

Issue

  • ARO Service Principal expired/ about to expire and needs to be rotated

  • Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for yourapp, or consider using certificate credentials for added security.
    Client secrets expired in azure.

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  • For the managed Azure offering, Azure Red Hat OpenShift(ARO), please follow the documentation or refer to the Knowledgebase Solution

  • Client secrets are generally stored in azure-credentials secret in kube-system project base64 encoded. If client secret got expired or new secret needs to be update, follow the below procedure:

  • Take the backup of azure-credentials before updating:
# oc get secret azure-credentials -n kube-system  -o yaml > azurebackup.yaml
  • Convert the new secret in base64 format:
# echo "<SECRETKEY>" | base64 -i
  • Copy the base64 encoded value and update the same in azure-credentials:
# oc edit secret azure-credentials -n kube-system

data:
  azure_client_id: XXXXXXXXXXXXXX
  azure_client_secret: XXXXXXXXXXXXXX
  azure_region: XXXXXXXXXXXXXX
  azure_resource_prefix: XXXXXXXXXXXXXX
  azure_resourcegroup: XXXXXXXXXXXXXX
  azure_subscription_id: XXXXXXXXXXXXXX
  azure_tenant_id: XXXXXXXXXXXXXX
  • Save and exit the file.

Root Cause

  • Client secret is generally saved in azure-credentials secret in kube-system project. Whenever it got rotated as per organization policy, it needs to be updated in OpenShift also, otherwise it will misbehave as OpenShift won't be able to communicate with Azure.

Diagnostic Steps

  • Below error message will be displayed in the cloud-credential-operators logs:
Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for yourapp, or consider using certificate credentials for added security.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments