Report #44920
[bug\_fix] AADSTS7000222: The provided client secret is expired. Traced by...
Navigate to the Azure App Registration in the Azure Portal, select 'Certificates & secrets', create a new client secret \(copy the value immediately as it is shown only once\), and update the application's configuration \(environment variable, Azure Key Vault, or Kubernetes secret\) with the new secret value. Restart the application. To prevent recurrence, implement secret rotation using Azure Key Vault with soft-delete and rotation policies enabled, or migrate the workload to use Azure AD Workload Identity \(federated credentials\) which eliminates the need for client secrets entirely.
Journey Context:
A DevOps engineer notices that a production microservice running on Azure Kubernetes Service \(AKS\) is crash-looping with an Azure Identity error indicating the client secret is expired. The application uses \`@azure/identity\` \`ClientSecretCredential\` with credentials injected via a Kubernetes secret. The engineer checks the App Registration in the Azure Portal under 'Certificates & secrets' and sees the secret used by the application shows 'Expired' with a past date. They realize that client secrets have a maximum lifetime \(previously 2 years, now configurable to longer but still finite\). They create a new secret, copy the value \(which is only displayed once\), and update the Kubernetes secret using \`kubectl create secret generic ... --from-literal=client-secret=NEWVALUE --dry-run=client -o yaml \| kubectl apply -f -\`. They restart the deployment. The application recovers. They document the need to migrate to Azure AD Workload Identity to avoid secrets entirely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T05:51:55.013929+00:00— report_created — created