azure_rm_keyvaultsecret_info: Session.request() fails with unexpected keyword argument 'enable_cae'

[jpsullivan]

SUMMARY

When attempting to fetch secrets from Azure Key Vault using the azure_rm_keyvaultsecret_info module, the task fails with an error indicating an unexpected keyword argument enable_cae in the Session.request() call.

failed: [...] => {
    "msg": "Find the key vault secret got exception, exception as Session.request() got an unexpected keyword argument 'enable_cae'"
}

I'm aware that this has been identified in other repos (Azure/azure-cli#27131) and allegedly patched, but this appears to still be an issue with azcollection.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_keyvaultsecret_info

ANSIBLE VERSION

ansible [core 2.18.1]
  config file = /Users/{omitted}/ansible.cfg
  configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = ~/.local/lib/python3.13/site-packages/ansible
  ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
  executable location = ~/.local/bin/ansible
  python version = 3.13.1 (main, Dec  6 2024, 23:51:49) [Clang 16.0.0 (clang-1600.0.26.4)] (~/.pyenv/versions/3.13.1/bin/python3)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

3.1.0

CONFIGURATION

CONFIG_FILE() = ~/{omitted}/ansible.cfg
DEFAULT_HOST_LIST(~/{omitted}/ansible.cfg) = ['~/{omitted}/inventory.yml']
DEFAULT_REMOTE_USER(~/{omitted}/ansible.cfg) = pi
DEFAULT_ROLES_PATH(~/{omitted}/ansible.cfg) = ['~/{omitted}/roles']
DEFAULT_TIMEOUT(~/{omitted}/ansible.cfg) = 60
HOST_KEY_CHECKING(~/{omitted}/ansible.cfg) = False

OS / ENVIRONMENT

OS: macos 15.1.1 (24B91)

STEPS TO REPRODUCE

1. Install all ansible and python requirements:

ansible-galaxy collection install -r requirements.yml
pip3 install -r ~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt

2. Create and execute an Ansible playbook with the following task:

- name: Get secrets from Azure Key Vault
  azure.azcollection.azure_rm_keyvaultsecret_info:
    vault_uri: "https://[keyvault-name].vault.azure.net"
    name: "{{ item.name }}"
  register: "secret_result"
  loop: "{{ keyvault_secrets }}"

EXPECTED RESULTS

Expected to pull the secrets that I am sure exist within my KeyVault.

ACTUAL RESULTS

Pasted the relevant exception details below:

Using module file ~/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py
<localhost> PUT ~/.ansible/tmp/ansible-local-40316fj6yt8xi/tmpuzkbh3pf TO ~/.ansible/tmp/ansible-tmp-1733580995.382248-40495-202277196457352/AnsiballZ_azure_rm_keyvaultsecret_info.py
<localhost> EXEC /bin/sh -c 'chmod u+x ~/.ansible/tmp/ansible-tmp-1733580995.382248-40495-202277196457352/ ~/.ansible/tmp/ansible-tmp-1733580995.382248-40495-202277196457352/AnsiballZ_azure_rm_keyvaultsecret_info.py && sleep 0'
<localhost> EXEC /bin/sh -c '~/.pyenv/versions/3.13.1/bin/python3 ~/.ansible/tmp/ansible-tmp-1733580995.382248-40495-202277196457352/AnsiballZ_azure_rm_keyvaultsecret_info.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r ~/.ansible/tmp/ansible-tmp-1733580995.382248-40495-202277196457352/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/var/folders/h8/bm4d0tb515gc29t8xq_zkn8r0000gn/T/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload_n34rhpb2/ansible_azure.azcollection.azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 297, in get_secret
    response = self._client.get_secret(name=self.name, version='')
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/keyvault/secrets/_client.py", line 65, in get_secret
    bundle = self._client.get_secret(
        vault_base_url=self._vault_url,
    ...<2 lines>...
        **kwargs
    )
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/keyvault/secrets/_generated/_operations/_operations.py", line 751, in get_secret
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        _request, stream=_stream, **kwargs
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/_base.py", line 229, in run
    return first_node.send(pipeline_request)
           ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
  [Previous line repeated 2 more times]
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
    response = self.next.send(request)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/policies/_retry.py", line 532, in send
    response = self.next.send(request)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 120, in send
    return self.handle_challenge_flow(request, response)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 149, in handle_challenge_flow
    request_authorized = self.on_challenge(request, response)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 239, in on_challenge
    self.authorize_request(request, scope, claims=challenge.claims, tenant_id=challenge.tenant_id)
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/policies/_authentication.py", line 133, in authorize_request
    self._request_token(*scopes, **kwargs)
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/core/pipeline/policies/_authentication.py", line 96, in _request_token
    self._token = cast(TokenCredential, self._credential).get_token(*scopes, **kwargs)
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/cli/core/auth/credential_adaptor.py", line 65, in get_token
    token, _ = self._get_token(scopes, **kwargs)
               ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/cli/core/auth/credential_adaptor.py", line 38, in _get_token
    token = self._credential.get_token(*scopes, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/azure/cli/core/auth/msal_authentication.py", line 69, in get_token
    result = self.acquire_token_silent_with_error(list(scopes), self._account, claims_challenge=claims, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/application.py", line 1401, in acquire_token_silent_with_error
    return _clean_up(self._acquire_token_silent_with_error(
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        scopes, account, authority=authority, force_refresh=force_refresh,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        claims_challenge=claims_challenge, auth_scheme=auth_scheme, **kwargs))
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/application.py", line 1424, in _acquire_token_silent_with_error
    result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
        scopes, account, self.authority, force_refresh=force_refresh,
    ...<2 lines>...
        auth_scheme=auth_scheme,
        **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/application.py", line 1559, in _acquire_token_silent_from_cache_and_possibly_refresh_it
    result = self._acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family(
        authority, self._decorate_scope(scopes), account,
        refresh_reason=refresh_reason, claims_challenge=claims_challenge,
        correlation_id=correlation_id,
        **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/application.py", line 1620, in _acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family
    last_resp = at = self._acquire_token_silent_by_finding_specific_refresh_token(
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        authority, scopes, dict(query, family_id=app_metadata["family_id"]),
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        **kwargs)
        ^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/application.py", line 1668, in _acquire_token_silent_by_finding_specific_refresh_token
    response = client.obtain_token_by_refresh_token(
        entry, rt_getter=lambda token_item: token_item["secret"],
    ...<13 lines>...
                self._client_capabilities, claims_challenge)),
        **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/oauth2cli/oauth2.py", line 835, in obtain_token_by_refresh_token
    resp = super(Client, self).obtain_token_by_refresh_token(
        rt_getter(token_item)
    ...<2 lines>...
        also_save_rt=on_updating_rt is False,
        **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/oauth2cli/oauth2.py", line 265, in obtain_token_by_refresh_token
    return self._obtain_token("refresh_token", data=data, **kwargs)
           ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/oauth2cli/oidc.py", line 170, in _obtain_token
    ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/oauth2cli/oauth2.py", line 776, in _obtain_token
    resp = super(Client, self)._obtain_token(
        grant_type, params, _data, *args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/oauth2cli/oauth2.py", line 237, in _obtain_token
    resp = (post or self._http_client.post)(
        self.configuration["token_endpoint"],
        headers=_headers, params=params, data=_data,
        **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/individual_cache.py", line 269, in wrapper
    value = function(*args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/msal/individual_cache.py", line 269, in wrapper
    value = function(*args, **kwargs)
  File "~/.pyenv/versions/3.13.1/lib/python3.13/site-packages/requests/sessions.py", line 637, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
failed: [devbox -> localhost] (item={'name': '{my_secret_name}', 'variable_name': '{my_secret_variable_name}'}) => {
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "disable_instance_discovery": false,
            "log_mode": null,
            "log_path": null,
            "name": "{my_secret_name}",
            "password": null,
            "profile": null,
            "secret": null,
            "show_deleted_secret": false,
            "subscription_id": null,
            "tags": null,
            "tenant": null,
            "thumbprint": null,
            "vault_uri": "{my_kv_uri}",
            "version": "current",
            "x509_certificate_path": null
        }
    },
    "item": {
        "name": "{my_secret_name}",
        "variable_name": "{my_secret_variable_name}"
    },
    "msg": "Find the key vault secret got exception, exception as Session.request() got an unexpected keyword argument 'enable_cae'"
}

[Fred-sun]

@jpsullivan Which authentication method do you use? For example, credentials files, environment variables or 'az login', thank you!

[jpsullivan]

Hey @Fred-sun! Thanks for taking a look.

I typically use az login to authenticate.

[SrinivasanSelvam]

Facing same issue with ansible version
ansible [core 2.17.4]
azure cli version - 2.66.0*

Facing issue with azure.azcollection.azure_rm_keyvaultsecret_info ansible module
azure.azcollection.azure_keyvault_secret ansible module is working as of now