I am using az cli to create/update Azure container app secrets which worked fine for several months until yesterday. I got this error whenever I use this command:
az containerapp secret set -n my-containerapp -g MyResourceGroup \
--secrets MySecretName1=MySecretValue1 \
MySecretName2=keyvaultref:https://example.vault.azure.net/secrets/mysecret,identityref:/subscriptions/sub/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity
The error message is:
(FailedIdentityOperation) Identity operation for resource '/subscriptions/7cc5611c-e06d-4ae0-9e81-dab09605a818/resourceGroups/app-plan-client/providers/Microsoft.App/containerApps/dev-citeo-mailing' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Client not permitted to perform resource delegation. Requests containing delegatedResources must be made with a valid Microsoft 1st-party app credential."}}'.'.
I haven't changed anything. I use this command in several Azure DevOps pipelines to manage my container app secrets since there is a problem with azurerm under Terraform. It worked fine and since yesterday suddenly the command no longer works either locally or from my build agents, even after updating az cli (on Linux, WSL and Windows pwsh).
I think it's the same problem as Azure Identity provider for resource - failure on container app deployment.
My az version:
{
"azure-cli": "2.57.0",
"azure-cli-core": "2.57.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"containerapp": "0.3.47"
}
}
I updated az cli, tried it from different server with different login options (my Azure creds, service principal, service connection), from different OS. Nothing changed, always the same error.
I except the az cli command of aca secret update should work as before.