Issue with JWT Assertion logon

[ptejado]

Hello all,
@lechnerc77, @vipinvkmenon,

We are not sure if this is the forum for sharing this issue, but we are configuring a Proof of Concept for using JWT logon and it is failing.

For our business as usual CI/CD we are using USER and PASSWORD logon, but we are interested in using JWT logon in order to avoid using passwords in githubs repos.

We've followed these links:
https://dev.to/vipinvkmenon/bye-bye-credentials-automate-btp-cloud-foundry-setup-with-terraform-using-github-actions-and-3m07
https://community.sap.com/t5/technology-blog-posts-by-sap/authenticating-github-actions-workflows-deploying-to-the-sap-btp-cloud/ba-p/14075047

It seems we are able to generate the JWT token in the corresponding workflow step:

Run actions/github-script@v7
  with:
    script: const tenanturl = process.env.TENANT_URL;
  const coredemo = require('@actions/core')
  let id_token = await coredemo.getIDToken(tenanturl)
  coredemo.setOutput('githubJwt', id_token)
    github-token: ***
    debug: true
    user-agent: actions/github-script
    result-encoding: json
    retries: 0
    retry-exempt-status-codes: 400,401,403,404,422
  env:
    PATH_TO_TFSCRIPT_BTP: ./
    pr_exists: false
    TERRAFORM_CLI_PATH: /home/runner/_work/_temp/6cce43af-90a8-41fe-b006-77198621bf38
    TENANT_URL: https://<our_company>.accounts.ondemand.com/
##[debug]ID token url is https://run-actions-1-azure-eastus.actions.githubusercontent.com/34//idtoken/decc428e-2cdf-434e-9654-166bbf7080c9/e068201c-7140-5395-9d79-067b254540b5?api-version=2.0&audience=https%3A%2F%2F<our_company>.accounts.ondemand.com%2F
::add-mask::***
##[debug]Node Action run completed with exit code 0
##[debug]Set output githubJwt = ***
##[debug]Set output result = 
##[debug]Finishing: Get Id Token

But when we use it for logging on and executing a terraform plan through BTP_ASSERTION environment variable, we received the following generic error:

Error: unableToCreateClient

  with provider["registry.terraform.io/sap/btp"],
  on provider.tf line 15, in provider "btp":
  15: provider "btp" {

Login failed. Check your credentials. [Status: 401; Correlation ID:
e44f7ea4-9cc2-2891-7475-7283d7317db9]

No information has been found in our IAS for that correlation ID.

How can we find out more using that correlation ID?
Does exist any additional variables for adding more debug addionally to ACTIONS_STEP_DEBUG and ACTIONS_RUNNER_DEBUG?

Many thanks for you collaboration.

[lechnerc77]

@ptejado this is a perfect place to start a discussion about your issue. The error you are facing is that the login on SAP BTP does not work with the configuration you have made. This could have several reasons that ned to be sorted out:

• When creating the GH JWT Token is the tenant URL set correctly?
• Is the configuration in the Custom IdP correct especially when it comes to typos?
• Is the Trust connection to the custom IdP in place?
• Is the "technical" user on Global Account level added and has the admin role assigned?
• Is the Terraform configuration (provider.tf) correct i.e. is the origin key of the IdP set correctly?

Can you check these points to narrow down where the issues comes from? I think the GH action itself is correct, at least the output shows the expected content.

[ptejado]

Hello Christian,
Sorry for not replying earlier — I was on my annual leave. Since the case involves company information, would it be possible to share some details with you privately?