Xplz3d
commented
1 month ago I'm facing the same issue ... event with updating the Deploy.ps1 with your workaround ... @ashisa , could you please provide the "working" Deploy.ps1 file ? Many thanks,
Closed ashisa closed 4 weeks ago
Xplz3d
commented
1 month ago I'm facing the same issue ... event with updating the Deploy.ps1 with your workaround ... @ashisa , could you please provide the "working" Deploy.ps1 file ? Many thanks,
ashisa
commented
1 month ago I'm facing the same issue ... event with updating the Deploy.ps1 with your workaround ... @ashisa , could you please provide the "working" Deploy.ps1 file ? Many thanks,
Here you go - https://github.com/ashisa/Commercial-Marketplace-SaaS-Accelerator/
You can also use the following to install it -
wget https://dotnet.microsoft.com/download/dotnet/scripts/v1/dotnet-install.sh; `
chmod +x dotnet-install.sh; `
./dotnet-install.sh -version 6.0.417; `
$ENV:PATH="$HOME/.dotnet:$ENV:PATH"; `
dotnet tool install --global dotnet-ef --version 6.0.1; `
git clone https://github.com/ashisa/Commercial-Marketplace-SaaS-Accelerator.git --depth 1; `
cd ./Commercial-Marketplace-SaaS-Accelerator/deployment; `
.\Deploy.ps1 `
-WebAppNamePrefix "SOME-UNIQUE-STRING" `
-ResourceGroupForDeployment "SOME-RG-NAME" `
-PublisherAdminUsers "user1@email.com,user2@email" `
-Location "East US" Note the new repo name and missing release version in the git clone command.
Xplz3d
commented
1 month ago Thanks for the update @ashisa , i did it another way but i think yours is the most efficient :)
neelavarshad
commented
4 weeks ago Fixed in Release 7.6.2
Describe the bug The deployment script shows the following error when adding secret to the key vault - (Forbidden) Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=9e9e51c8-f9f2-44bd-82e8-adcbed56ce1d;iss=https://sts.windows.net/16b3c013-d300-468d-ac64-7eda0820b6d3/ Action: 'Microsoft.KeyVault/vaults/secrets/setSecret/action' Resource: '/subscriptions/37bede89-47b0-42cb-94c0-173753dcad79/resourcegroups/ashisa30058/providers/microsoft.keyvault/vaults/ashisa30058-kv/secrets/adapplicationsecret' Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: ashisa30058-kv;location=eastus
Code: Forbidden Message: Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=9e9e51c8-f9f2-44bd-82e8-adcbed56ce1d;iss=https://sts.windows.net/16b3c013-d300-468d-ac64-7eda0820b6d3/ Action: 'Microsoft.KeyVault/vaults/secrets/setSecret/action' Resource: '/subscriptions/37bede89-47b0-42cb-94c0-173753dcad79/resourcegroups/ashisa30058/providers/microsoft.keyvault/vaults/ashisa30058-kv/secrets/adapplicationsecret' Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: ashisa30058-kv;location=eastus
Inner error: { "code": "ForbiddenByRbac" } (Forbidden) Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=xxxxxxx-cf4b-4a8e-a60e-xxxxxxxxxxxx;oid=xxxxxxxx-f9f2-44bd-82e8-xxxxxxxxxxxx;iss=https://sts.windows.net/xxxxxxxx-d300-468d-ac64-xxxxxxxxxxxx/ Action: 'Microsoft.KeyVault/vaults/secrets/setSecret/action' Resource: '/subscriptions/xxxxxxxx-47b0-42cb-94c0-xxxxxxxxxxxx/resourcegroups/rgname/providers/microsoft.keyvault/vaults/prefix-kv/secrets/defaultconnection' Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: prefix-kv;location=eastus
Code: Forbidden Message: Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=xxxxxxxx-cf4b-4a8e-a60e-xxxxxxxxxxxx;oid=xxxxxxxx-f9f2-44bd-82e8-xxxxxxxxxxxx;iss=https://sts.windows.net/xxxxxxxx-d300-468d-ac64-xxxxxxxxxxxx/ Action: 'Microsoft.KeyVault/vaults/secrets/setSecret/action' Resource: '/subscriptions/xxxxxxxx-47b0-42cb-94c0-xxxxxxxxxxxx/resourcegroups/rgname/providers/microsoft.keyvault/vaults/prefix-kv/secrets/defaultconnection' Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: prefix-kv;location=eastus
Inner error: { "code": "ForbiddenByRbac" }
To Reproduce Steps to reproduce the behavior:
Expected behavior Deployment script should be able to add the secrets successfully
Screenshots If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
Additional context The latest Azure CLI has a breaking change where is now sets --enable-rbac-authorization to true by default as documented here - https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#key-vault
This causes the traditional vault access policies to be ignored hence the error. The solution is to add a role assignment for the user executing the script. I was able to get this to work with the following changes in the deployment script -
Add at line 343:
$userUpn = az ad signed-in-user show --query userPrincipalName -o tsvInsert at line 359; before adding secrets:
Write-host " ➡️ Create Role Assignments"az role assignment create --role "Key Vault Secrets Officer" --assignee $userUpn --scope /subscriptions/$AzureSubscriptionID/resourcegroups/$ResourceGroupForDeployment --output $azCliOutputReplace line 378 with the following -
az role assignment create --assignee $WebAppNameAdminId --scope /subscriptions/$AzureSubscriptionID/resourceGroups/$ResourceGroupForDeployment --role "Key Vault Secrets User" --output $azCliOutputReplace line 390 with the following -
az role assignment create --assignee $WebAppNamePortalId --scope /subscriptions/$AzureSubscriptionID/resourceGroups/$ResourceGroupForDeployment --role "Key Vault Secrets User" --output $azCliOutput