deployment without subscription-level access

[ltalirz]

In what area(s)?

/area administration

/area ansible /area autoscaling /area configuration /area cyclecloud /area documentation /area image /area job-scheduling /area monitoring /area ood /area remote-visualization /area user-management

Describe the feature

At the moment, the path for deploying az-hop that requires the least amount of rights at the subscription level is the route via a deployer VM with system managed identity. However, even in this case, the identity needs to be "Reader" at the subscription level, which may be a concern in some customer scenarios.

We are wondering: would it be possible to deploy az-hop in a pre-existing resource group, with permissions at the resource group level only?

We tried removing the "Reader" role and noticed that it is used

• to read marketplace offering agreements [1]
• to read whether the target resource group already exists (even if it does already exist) [2]
• possibly more...

The first item is just the check for the lustre/alma linux agreements, which could be skipped if one does not use these. The second item seems a bit contraintuitive, but maybe this is how Azure works (?).

In any case, it might be useful to

• document what the Reader requirement is used for (for discussion with security/compliance officers), and/or
• reduce the Reader role to more specific ones (if possible/sensible)

[1] Error message about image agreements

ERROR: (AuthorizationFailed) The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read' over scope '/subscriptions/e7cca478-89b5-4f94-a081-4ad6ad37b08d' or the scope is invalid. If access was recently granted, please refresh your credentials.

[2] Error message about reading (pre-existing) resource group

azurerm_resource_group.rg[0]: Creating...
╷
│ Error: checking for presence of existing resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/xxx/resourcegroups/yyy' or the scope is invalid. If access was recently granted, please refresh your credentials."
││   with azurerm_resource_group.rg[0],│   on main.tf line 48, in resource "azurerm_resource_group" "rg":│   48: resource "azurerm_resource_group" "rg" {
│
╵

cc @matt-chan

[xpillons]

Is this an actual blocker ?

[ltalirz]

In the end it did not block us. I would still recommend to document what the Reader role is needed for (for discussion with security/compliance officers)