Error message " Invalid client secret provided" on Prisma Cloud
Symptom
- If an Azure Application Client Secret expires in the Azure Portal, the Prisma Cloud console will display an "Invalid client secret provided" error for the Cloud Account Status.
Environment
- Prisma Cloud
- Microsoft Azure
Cause
Any extra space or typo mistake during copying Value Key from Azure portal to Prisma Cloud will cause an " Invalid client secret provided" error.
Note: DO NOT save Value Key to ordinary notes applications and do not copy Value Keys from ordinary notes to Prisma Cloud Account Setting. Copying Value Key from ordinary notes application may change Value Key syntax which is almost impossible to troubleshoot. Always best practice is to use any programming application like NotePad++, Sublime, VS Code, to save Value Keys.
Resolution
Prisma Console:
1. Log in to Prisma Console.
2. Go to Settings > Cloud Accounts Click on the Edit button in Actions.
3. Click on the Pencil button to see Configure Account page.
4. Copy Application (Client) ID to any Notepad. We will use it to check Azure App registrations in the Azure portal.
Microsoft Azure Portal:
2. Type App registration in the Search bar. Then click on App registrations.
3. Look for Application (client) ID which we copied from Prisma Cloud Cloud Account. Click on Application, In my case Prisma Cloud App qobyz
4. In Prisma Cloud App qobyz Overview shows "A certificate or secret has expired. Create a new one". So create a new secret.
5. On the left side Click Certificate & secrets under Manage. Click on New client secret.
6. Fill up the required fields for client secret.
Note: From the Expires drop down menu, use the required time period as per your requirements.
7. Copy the Value displayed under Client Secrets.
Note: A client secret value is only displayed at the time of creation and after that, it is neither displayed nor it can be retrieved. What you would need to do is create a new client secret and copy its value when it is displayed.
Prisma Console:
8. Replace the old value in Application Client Secret in Prisma Cloud Account. Click on Next
9. Click on Next again to see Status.
10. You will see a Green Status, Click Done.
Note: If you don't see Green Status wait for a few mins and repeat from Step 7 to 10. If you didn't set up Flow Logs ingestion. It will not be Green after replacing Value.
11. Congratulations! You have successfully replaced Client Secret Value.
Additional Information
(Optional) Enable NSG flow logs: If you want to enable flow log ingestion, you must complete the tasks outlined in Step 9