We’re running Azure IoT Operations on AKS and experiencing authentication failures with our SSE connector trying to ingest data streams from edge devices. The connector was working fine until we rotated our Kubernetes secrets last week.
The error appears in the connector logs:
SSEConnector: Authentication failed - 401 Unauthorized
Endpoint: https://edge-gateway.contoso.com/stream
Secret reference: iot-edge-auth
The Kubernetes secret exists in the correct namespace and contains valid credentials. We’ve verified the secret is mounted properly in the pod, but the SSE connector still can’t authenticate. This is blocking all real-time data ingestion from our manufacturing floor devices. Has anyone dealt with SSE connector authentication issues after secret rotation in Azure IoT Operations?
SSE connectors in Azure IoT Ops don’t automatically reload secrets on change. You need to restart the connector pod specifically. Use kubectl rollout restart on the deployment managing your data-stream connector. Also, check your connector configuration YAML - there’s a secretRefreshInterval parameter that controls how often secrets are reloaded. Default is 3600 seconds which might explain the delay.
I ran into this last month. The root cause was a combination of stale credentials in the connector’s memory and certificate validation failures. Here’s what worked:
First, update your SSE connector configuration to handle the new certificate and reduce secret refresh interval:
apiVersion: connectivity.iotoperations.azure.com/v1beta1
kind: DataflowEndpoint
metadata:
name: sse-edge-gateway
spec:
endpointType: SSE
sseSettings:
host: edge-gateway.contoso.com
authentication:
method: ServiceAccountToken
serviceAccountTokenSettings:
audience: "https://edge-gateway.contoso.com"
tls:
mode: Enabled
trustedCaCertificateConfigMap: edge-gateway-ca-cert
Key steps to resolve:
-
Update the certificate trust: Create a ConfigMap with the new gateway certificate and reference it in your connector config. The SSE connector validates TLS by default.
-
Force credential reload: The Kubernetes secret alone isn’t enough. You need to restart the connector pod AND ensure the secretRefreshInterval is set to a reasonable value (I use 300 seconds for production). Edit your connector deployment to add the refresh interval environment variable.
-
Verify authentication flow: SSE connectors in Azure IoT Operations v25 support multiple auth methods. If your gateway expects OAuth2 bearer tokens instead of basic auth, you’ll need to switch to ServiceAccountToken authentication method as shown above.
-
Check RBAC permissions: After secret rotation, verify the service account used by the connector still has read permissions on the secret. Run: `kubectl auth can-i get secrets --as=system:serviceaccount:azure-iot-operations:aio-opc-connector
-
Monitor the connector logs: After applying changes, watch for the authentication handshake. You should see “SSE connection established” instead of 401 errors.
For data ingestion recovery, implement a retry mechanism in your edge devices to buffer data during authentication failures. This prevents data loss during connector restarts.
The combination of certificate validation and secret caching causes most SSE authentication issues after rotation. Address both and your data stream should resume within minutes.
Check if the secret is base64 encoded correctly. When you rotated the Kubernetes secret, did you ensure the credentials match the format expected by the SSE endpoint? Also verify the secret key names - the connector might be looking for specific keys like ‘username’ and ‘password’ but your secret might use different naming.
I’ve seen this exact issue. Beyond the secret refresh interval, verify that your SSE endpoint hasn’t changed its authentication mechanism. Some gateways switch from basic auth to bearer tokens during updates. Also check if the endpoint certificate changed - SSE connectors validate TLS certificates and a cert change could cause auth failures even with correct credentials. You might need to update the trustedCertificates section in your connector config.
Thanks for the suggestion. I checked the secret encoding and the keys are named correctly (username/password). The base64 values decode to the right credentials. I’m wondering if there’s a caching issue - maybe the connector cached the old credentials and isn’t picking up the rotated secret? Is there a way to force the SSE connector to reload secrets without restarting the entire IoT Operations deployment?
Good point about certificates. I checked and the gateway cert was renewed around the same time. That might be contributing to the issue alongside the secret rotation.