diff --git a/internal/sops/azkv/config.go b/internal/sops/azkv/config.go index 2de7fd889..fa7866336 100644 --- a/internal/sops/azkv/config.go +++ b/internal/sops/azkv/config.go @@ -100,6 +100,7 @@ func TokenCredentialFromAADConfig(c AADConfig) (token azcore.TokenCredential, er }, }) } + return nil, fmt.Errorf("invalid data: requires 'clientSecret' or 'clientCertificate' when both 'tenantId' and 'clientId' are set") } switch { diff --git a/internal/sops/azkv/config_test.go b/internal/sops/azkv/config_test.go index 54153ea8d..1790049fd 100644 --- a/internal/sops/azkv/config_test.go +++ b/internal/sops/azkv/config_test.go @@ -153,6 +153,14 @@ func TestTokenFromAADConfig(t *testing.T) { }, want: &azidentity.ManagedIdentityCredential{}, }, + { + name: "Incomplete Service Principal does not fall back to Managed Identity", + config: AADConfig{ + TenantID: "some-tenant-id", + ClientID: "some-client-id", + }, + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {