[SoftNAS KB]: Expired Azure Service Principal Secret

Owned by Sean Hastert
yesterday at 8:43 am
2 min read

Symptoms

Due to recent changes made to Azure Service Principal Certificates & secrets, a Client secret may no longer be set to never expire. This may result in a situation where your SoftNAS instance can no longer communicate with the Azure platform API. This may result in SNAP HA failovers failing to complete and the inability to manage Data disks.

Purpose

This article allows you to determine if the Service Principal credentials have expired and remediate.

Resolution

Login to the potentially affected SoftNAS instance via SSH (For guidance on how to connect to your SoftNAS instance, click here.)

To determine if the saved Service Principal credentials have expired, use the command:

sudo /var/www/softnas/scripts/azwrapper.sh vm list 2>&1 | grep -q "AADSTS7000222\|Please run" && echo "Service Principal secret has expired!" || echo "Service Principal secret is valid!"

This will determine if credentials have expired. If return message indicates secret has expired continue on with the below steps.

  1. From the Azure portal create a new secret for the existing Service Principal
  2. Login to the SoftNAS instance via SSH (If using SNAP HA, start with the Primary node)
  3. From the SSH session download the patch file

    wget https://softnas.com/software/softnas/patches/BS-498.zip 

  4. Uncompress the patch file and copy to the working location

    unzip BS-498.zip && sudo cp *.php /var/www/softnas/snserver/

  5. Update the Service Principal credentials replacing username, password & tenant with the new credentials generated in step #1

    sudo sh -c 'cd /var/www/softnas/snserver && php -d display_errors ./update_credentials.php --platform=azure --username=URI --password=CLIENT_SECRET --tenant=TENANT_ID --forcelogin'

  6. From the SSH session verify azureMainStorageAccount value is populated

    sudo grep "azureMainStorageAccount =" /var/www/softnas/config/azure.ini

    *     Only perform steps 7-8 if the value of azureMainStorageAccount is null

  7. If the value azureMainStorageAccount is null use the below command to lookup the storage account

    sudo grep CONTROLLER_STORAGE_NAME /var/www/softnas/config/HA.ini

    NOTE: If these steps are being performed on a SoftNAS version prior to 5.6.1, the CONTROLLER_STORAGE_NAME value will not display when this command is executed on the SNAP HA Target node. For the following step simply use the CONTROLLER_STORAGE_NAME from the Primary node, as it will be common between both nodes.

  8. Modify the azure.ini file in place replacing ACCT with the output value from the previous command

    sudo sed -i 's/azureMainStorageAccount =/azureMainStorageAccount = "ACCT"/g' /var/www/softnas/config/azure.ini

    i.e.
    softnas@softnas-src:~$ sudo grep CONTROLLER_STORAGE_NAME /var/www/softnas/config/HA.ini
    CONTROLLER_STORAGE_NAME = "hasoftnassrc48656"
    softnas@softnas-src:~$ sudo sed -i 's/azureMainStorageAccount =/azureMainStorageAccount = "hasoftnassrc48656"/g' /var/www/softnas/config/azure.ini

  9. If SoftNAS instance is apart of a SNAP HA setup, repeat steps 2-8 for the second node.


If you need further assistance, please contact support@softnas.com.