search

Azure / azure-dev

A developer CLI that reduces the time it takes for you to get started on Azure. The Azure Developer CLI (azd) provides a set of developer-friendly commands that map to key stages in your workflow - code, build, deploy, monitor, repeat.
https://aka.ms/azd
MIT License
393 stars 187 forks source link

[Issue] 'azd pipeline config' is failing for new ACA flow #2195

Closed pamelafox closed 1 year ago

pamelafox commented 1 year ago

Output from azd version

azd version 0.9.0-beta.1 (commit 9e9e9d6e66afd3b417b60cc4d387cee0626a67d7)

Describe the bug

I have been porting my ACA samples over to be compatible with the new azd 0.9 ACA flow. I have gotten them successfully deployed locally with azd up, but I have not gotten the GitHub action to successfully provision. It always errors the same:

https://github.com/pamelafox/simple-fastapi-container/actions/runs/4961750479/jobs/8878939184

InvalidTemplateDeployment: The template deployment failed with error: 'Authorization failed for template resource 'c17bcade-e835-542e-86b1-ade831f120d3' of type 'Microsoft.Authorization/roleAssignments'. The client 'e2dcb37d-ac12-4053-90f6-fba159a7e96f' with object id 'e2dcb37d-ac12-4053-90f6-fba159a7e96f' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions//resourceGroups/-rg/providers/Microsoft.ContainerRegistry/registries/simplefastapiacaxadk3rhckrftkregistry/providers/Microsoft.Authorization/roleAssignments/c17bcade-e835-542e-86b1-ade831f120d3'.'.

@wbreza suggested running 'azd pipeline config --principal-name --principal-role owner', which I did, but that didn't seem to have an effect. I also tried on a completely new environment, in case there was weirdness from deploying to a previous environment, and still get the error.

To Reproduce

  1. Fork https://github.com/pamelafox/simple-fastapi-container
  2. Run azd up locally
  3. Run azd pipeline config

Expected behavior

I expect pipeline to succeed.

Environment

GitHub actions

rajeshkamal5050 commented 1 year ago

@vhvb1989 can you triage this?

rajeshkamal5050 commented 1 year ago

@pamelafox did you look at these existing azd issues? Seems similar to that? Also, found this - https://stackoverflow.com/questions/54748303/role-assignment-authorization-failed-for-new-resource-group-created-from-arm-tem

@vhvb1989 this is related to the role checks PR @hemarina is working on? so users would know what roles are missing?

vhvb1989 commented 1 year ago

@pamelafox we switched from using secrets to use variables in pipelines. So, after @wbreza suggestion to provide owner role to the SP, you need to update your pipeline to use variables for everything but the secret. Otherwise you are still using the previus SP. (You would be creating a new SP on every azd pipeline config, unless you set the name with --principal-name

pamelafox commented 1 year ago

Ohhhh, I didn't realize azure-dev.yaml got an update. I will copy it over and give it another go.

pamelafox commented 1 year ago

A SUCCESSFUL DEPLOY! https://github.com/pamelafox/simple-fastapi-container/actions/runs/4962833910/jobs/8881369706 Will do on my other 5 billion ACA repos.

Will new developers need to do the --principal-role step?

wbreza commented 1 year ago

Will new developers need to do the --principal-role step?

If the template performs any RBAC role assignments, then Yes - users would be required to create the service principal with either the owner or user access administrator role.

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

pamelafox commented 1 year ago

Okay, hopefully that's in pending documentation, I realize I'm a bit of an eager beaver here. :)

pamelafox commented 1 year ago

Ah right, just remembered there's a pending PR that's going to let people know.