Open weikanglim opened 7 months ago
@weikanglim can you check if you are the classic admin on the subscription? If yes, you can work around it by granting your account the own role on the subscription.
@northtyphoon Thanks for the suggestion. I did verify indeed that I was a service administrator, likely that this subscription was created awhile back.
And after assigning myself an "Owner" role of the subscription this is addressed.
However, this ends up impacting a lot of users with existing long-lived subscriptions. Would there be an alternative that doesn't require a workaround?
@weikanglim we plan to rollout a fix to support the classic administrators by Jan. However, classic administers is deprecated. It will be great to recommend your customer to take the chance to migrate to standard Azure RBAC.
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
Important
Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
@weikanglim we plan to rollout a fix to support the classic administrators by Jan. However, classic administers is deprecated. It will be great to recommend your customer to take the chance to migrate to standard Azure RBAC.
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
Important Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
Are there any ramifications to this migration? We can still login with our MSAs, right?
@shanselman you are right, you still login with MSA. For ACR, there should be no side-effect after you grant owner role. You can still keep the co-admin in case you have a concern on other services. Azure will retire it after 8/31/2024.
@weikanglim can you check if you are the classic admin on the subscription? If yes, you can work around it by granting your account the own role on the subscription.
This is just a terrible idea in practice
Still not fixed.....par for the course with you guys
Describe the bug We've received a few reports of users failing to deploy Aspire projects using azd because of auth failures to ACR.
After investigating further, it seems that users logging in with personal accounts to Azure subscriptions are affected. A minimal repro is provided below to use
az
to reproduce the issue.To Reproduce Steps to reproduce the behavior:
az acr login --expose-token -n <ACR>
Expected behavior Login succeeds, token is printed out.
Screenshots
An example response error occuring at 2023-12-05T22:19:27:
Additional context Can provide specific JWT exchange tokens if needed.