search

Azure / azure-dev

A developer CLI that reduces the time it takes for you to get started on Azure. The Azure Developer CLI (azd) provides a set of developer-friendly commands that map to key stages in your workflow - code, build, deploy, monitor, repeat.
https://aka.ms/azd
MIT License
402 stars 195 forks source link

Error: failed to create or update service principal #827

Open marnixcox opened 1 year ago

marnixcox commented 1 year ago

Output from azd version azd version 0.3.0-beta.1 (commit c5344160ed49bfda75281fba28b5e9ac7b96670e)

Output from az version 

{
  "azure-cli": "2.40.0",
  "azure-cli-core": "2.40.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {
    "application-insights": "0.1.7",
    "arcdata": "1.4.5",
    "init": "0.1.0",
    "managementpartner": "0.1.3"
  }
}

Describe the bug Can you please advise if there is a way to do the "azd pipeline config --provider azdo" step, without automaticly creating the service principal, as most tenants and DevOps organisations don't want individual developers to have this level of access and have already setup a service connection ready to use.

Error: failed to create or update service principal: failed running az ad sp create-for-rbac: exit code: 1, stdout: , stderr: ERROR: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation

To Reproduce Set minimal user rights on Active Directory en run azd pipeline config --provider azdo

Expected behavior Get the opportunity to set/select an existing service connection.

Environment

rajeshkamal5050 commented 1 year ago

@vhvb1989 can you see if the existing service-principal/connection can be used for AzDo?

vhvb1989 commented 1 year ago

We need to add the support to use an existing service-principal.

Right now, no matter what provider is selected (github or Azure DevOps), azd creates a new service principal every time that azd pipeline is executed.

The only customization that azd supports is using the name of an existing service-principal. When this is set like azd pipeline --principal-name some-service-principal-name , azd would rotate the secret-credentials from that service-principal and use it to stablish the connection.

For the requested scenario, the customer would need to set:

for an existing service-principal. (there's no way to fetch a service-principal's client secret without rotating the secret).

I need to define with PM what would it be the experience/flow for doing this.

@savannahostrowski @puicchan @jongio FYI, can you start thinking about what would you like here? or if we don't want to support this (for any reason)

savannahostrowski commented 1 year ago

This seems like something we do want to support. I think that this likely falls into the larger effort of supporting developers using azd with non-azd created/existing infrastructure. We probably want to group this and other similar items under that epic/bucket (BYO-infrastructure).

puicchan commented 1 year ago

In enterprise scenario, developers typically do not have direct access or rights to create service principal. clientId, teanantId etc. are json output that is captured after running az ad sp. The secret should be captured and configured in GitHub Workflow or AzDo so it should not be something we store on azd side (dev won't have access.) @jongio @wbreza for input.