search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

`az vmss create` has incorrect authorization for gallery images #16674

Open abuccts opened 3 years ago

abuccts commented 3 years ago

Describe the bug

Command Name az vmss create

Errors:

ValidationError: (AuthorizationFailed) The client {} with object id {} does not have authorization to perform action 'Microsoft.Compute/galleries/images/read' over scope '/subscriptions/${sub_id}/resourceGroups/${rg}/providers/Microsoft.Compute/galleries/${gallery_name}/images/${image_name}' or the scope is invalid. If access was recently granted, please refresh your credentials.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az vmss create \
  --name {} \
  --resource-group {} \
  --location {} \
  --computer-name-prefix {} \
  --vm-sku {} \
  --instance-count {} \
  --image /subscriptions/${sub_id}/resourceGroups/${rg}/providers/Microsoft.Compute/galleries/${gallery_name}/images/${image_name}/versions/${version_name} \
  --priority {} \
  --disable-overprovision \
  --eviction-policy {} \
  --scale-in-policy {} \
  --zones {} \
  --single-placement-group {} \
  --platform-fault-domain-count {} \
  --accelerated-networking {} \
  --vnet-name {} \
  --subnet {} \
  --nsg {} \
  --public-ip-address {} \
  --authentication-type {} \
  --admin-username {} \
  --ssh-key-values {}

Expected Behavior

Create the vmss successfully without authorization issue.

Environment Summary

Linux-4.4.0-131-generic-x86_64-with-debian-stretch-sid
Python 3.6.10
Installer: DEB

azure-cli 2.18.0

Additional Context

I have the read permission to one version of gallery image (resource id: /subscriptions/${sub_id}/resourceGroups/${rg}/providers/Microsoft.Compute/galleries/${gallery_name}/images/${image_name}/versions/${version_name}), and can create vmss successfully using this image id in ARM template, but cannot create vmss using the same image id in azure cli, which will throw authorization error.

The root cause is that azure cli also checked image permission (resource id: /subscriptions/${sub_id}/resourceGroups/${rg}/providers/Microsoft.Compute/galleries/${gallery_name}/images/${image_name}), instead of the given version. https://github.com/Azure/azure-cli/blob/da4239a3b5ae9e2cc74785522bbb11f27b26eaf4/src/azure-cli/azure/cli/command_modules/vm/_validators.py#L471-L476

The image_info in above code shouldn't be got when user only has read permission to the given image version.

yungezz commented 3 years ago

hi @qwordy could you pls have a look? thanks

qwordy commented 3 years ago

@abuccts Thank you for reporting this issue. namespace.os_type is used later. We retrieve it from image definition. If I remove this piece of code and infer a os_type or require user input, it breaks existing command.

        elif res['type'].lower() == 'galleries':
            image_info = compute_client.gallery_images.get(resource_group_name=res['resource_group'],
                                                           gallery_name=res['name'],
                                                           gallery_image_name=res['child_name_1'])
            namespace.os_type = image_info.os_type
qwordy commented 3 years ago

I opened a PR to add a try-except statement to tolerate the error.