Closed flecoqui closed 7 months ago
@flecoqui, thanks for submitting this detailed issue. Can you please try your scenario using the latest 0.4.0b2 without the ad-hoc patching?
@digimaun, thanks a lot for your responsiveness, I did run two tests:
Both deployments were successful.
Thank you for confirming. We'll close this issue, let us know if you run into further problems.
Describe the bug I wanted to test the deployment of Azure IoT Operations using a service principal with all the permissions required to deploy Azure IoT Operations with the command "az iot ops init". I created a service principal/application with a permission to use Graph API "Application.ReadWrite.All" When the deployment script called "az iot ops init", it failed returning the error below:
ERROR: cli.azure.cli.core.azclierror: Not Found({"error":{"code":"Request_ResourceNotFound","message":"Resource '2de8b284-5ac5-4367-9723-a6728afab99c' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2024-03-12T11:50:58","request-id":"99445284-9e99-43d1-99d6-301acfa26910","client-request-id":"99445284-9e99-43d1-99d6-301acfa26910"}}})
To Reproduce Steps to reproduce the behavior:
I created the service principal using the following commands:
Using this service principal with all the required permissions I tried to deploy "Azure IoT Operations" on an Azure Arc Enabled K3S cluster running in a virtual machine with the following commands:
Expected behavior Normally, the command "az iot ops init" should have deployed smoothly Azure IoT Operation on the K3S cluster
Investigation results: The issue seems in the file .\azext_edge\edge\util\sp.py in the function fetch_self_if_app
When I used a service principal without permission to use the Graph API "Application.ReadWrite.All", this function returns None as the call to https://graph.microsoft.com/v1.0/applications/{app_id} return 403 (no access to this endpoint. Then the command line az iot ops init fallbacks and used the input parameters --sp-app-id --sp-object-id --sp-secret for the authentication with Azure. In our case, as Azure CLI has access to the application it returns 404 has this API should be called with application object id as parameter not the app_id (https://graph.microsoft.com/v1.0/applications/{app_object_id}). Nevertheless, the value of obj_id in the code is the object_id of the service principal calling https://graph.microsoft.com/v1.0/applications/{obj_id} will also returns 404.
So far, I'm using this turn around which consists in patching the file .\azext_edge\edge\util\sp.py when the service principal has access to the Graph API "Application.ReadWrite.All". Below the patch:
Calling https://graph.microsoft.com/v1.0/applications(appId='{app_id}') return 200 and the Azure CLI uses the service principal credentials for the authentication with Azure.
But, if the service principal without permission to the Graph API "Application.ReadWrite.All" https://graph.microsoft.com/v1.0/applications(appId='{app_id}') it will also return 200 when the call to https://graph.microsoft.com/v1.0/applications/{app_id} will return 403. So, when the service principal has no access to the Graph API "Application.ReadWrite.All", the patch is removed and we use the input parameters --sp-app-id --sp-object-id --sp-secret.
Environment (please complete the following information):
az --version azure-cli 2.58.0
core 2.58.0 telemetry 1.1.0
Extensions: azure-iot-ops 0.4.0b1 connectedk8s 1.6.6 customlocation 0.1.3 k8s-configuration 1.7.0 k8s-extension 1.6.1
Dependencies: msal 1.26.0 azure-mgmt-resource 23.1.0b2
Python location '/opt/az/bin/python3' Extensions directory '/home/azureuser/.azure/cliextensions'
Python (Linux) 3.11.7 (main, Feb 29 2024, 02:08:19) [GCC 11.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context Add any other context about the problem here.