Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.27k stars 3.88k forks source link

Invoke-AzAksRunCommand with help throw a Permission denied error. #17454

Closed vitalii-lebedev closed 2 years ago

vitalii-lebedev commented 2 years ago

Description

I'm using Powershell on Linux in the Ubuntu subsystem. I have a helm chart in the folder. This folder is attached with the CommandContextAttachment parameter.

Invoke-AzAksRunCommand -ResourceGroupName $DestinationResourceGroupName -Name $ClusterName -Command "helm install new-tenant new-tenant" -Force -CommandContextAttachment "yamls"

The response:

Id                : dad300222d03414881c779f934c904fd
ProvisioningState : Succeeded
ExitCode          : 1
StartedAt         : 03/12/2022 10:35:37
FinishedAt        : 03/12/2022 10:35:37
Logs              : Error: open /command-files/new-tenant/.helmignore: permission denied

Reason            :

Execution of Invoke-AzAksRunCommand -ResourceGroupName $DestinationResourceGroupName -Name $ClusterName -Command "ls new-tenant -la" -Force -CommandContextAttachment "yamls"

Shows

Id                : 19004189917e4a489eef28803e6e8392
ProvisioningState : Succeeded
ExitCode          : 0
StartedAt         : 03/12/2022 10:37:32
FinishedAt        : 03/12/2022 10:37:32
Logs              : total 24
                    drwxr-xr-x 3 nonroot aks 4096 Mar 12 10:37 .
                    drwxr-xr-x 3 nonroot aks 4096 Mar 12 10:37 ..
                    ---------- 1 nonroot aks  349 Mar 12  2022 .helmignore
                    ---------- 1 nonroot aks 1146 Mar 12  2022 Chart.yaml
                    drwxr-xr-x 2 nonroot aks 4096 Mar 12 10:37 templates
                    ---------- 1 nonroot aks 1877 Mar 12  2022 values.yaml

Reason            :

Command: Invoke-AzAksRunCommand -ResourceGroupName $DestinationResourceGroupName -Name $ClusterName -Command "whoami" -Force -CommandContextAttachment "yamls"

Returns:

Id                : e2c50e6ad1994fc7a010f529762fa48a
ProvisioningState : Succeeded
ExitCode          : 0
StartedAt         : 03/12/2022 10:39:15
FinishedAt        : 03/12/2022 10:39:15
Logs              : nonroot

Reason            :

Issue script & Debug output

PS /home/vlebedev/repos/trg-docs> Invoke-AzAksRunCommand -ResourceGroupName $DestinationResourceGroupName -Name $ClusterName -Command "helm install new-tenant new-tenant" -Force -CommandContextAttachment "yamls"
DEBUG: 11:43:45 - RunAzureRmAksCommand begin processing with ParameterSet 'GroupNameParameterSet'.
DEBUG: 11:43:45 - using account id 'vl@sitewish.ru'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'vl@sitewish.ru', environment: 'AzureCloud', tenant: 'db3eca71-68bb-43e0-8ed6-3a53f6dbc0ed'
DEBUG: 11:43:45 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'db3eca71-68bb-43e0-8ed6-3a53f6dbc0ed', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'vl@sitewish.ru'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45] Found 1 cache accounts and 0 broker accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45] Returning 1 accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] MSAL MSAL.NetCore with assembly version '4.30.1.0'. CorrelationId(6cd4c55e-c949-4a95-a927-cb29197e580a)
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] === AcquireTokenSilent Parameters ===
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] LoginHint provided: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Account provided: True
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] ForceRefresh: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 6cd4c55e-c949-4a95-a927-cb29197e580a

DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] === Token Acquisition (SilentRequest) started:

        Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Access token is not expired. Returning the found cache entry. [Current time (03/12/2022 10:43:45) - Expiration Time (03/12/2022 11:04:21 +00:00) - Extended Expiration Time (03/12/2022 11:04:21 +00:00)]
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Returning access token found in cache. RefreshOn exists ? False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] Fetched access token from host login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:45 - ] === Token Acquisition finished successfully. An access token was returned with Expiration Time: 03/12/2022 11:04:21 +00:00 and Scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-03-12T11:04:21.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'db3eca71-68bb-43e0-8ed6-3a53f6dbc0ed', UserId: 'vl@sitewish.ru'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ContainerService/managedClusters/trg-main-cluster?api-version=2021-05-01

Headers:
x-ms-client-request-id        : a03e2319-d882-47c9-86ad-b093af337957
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-routing-request-id       : NORWAYEAST:20220312T104346Z:4f764d11-7442-4fed-94e5-4ce3ec8d8dc2
x-ms-ratelimit-remaining-subscription-reads: 11982
x-ms-correlation-request-id   : 4f764d11-7442-4fed-94e5-4ce3ec8d8dc2
x-ms-request-id               : 11d6d71d-942b-4c5d-b8bc-38733be4066a
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Server                        : nginx
Date                          : Sat, 12 Mar 2022 10:43:45 GMT

Body:
{
  "id": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourcegroups/rg-main-cluster/providers/Microsoft.ContainerService/managedClusters/trg-main-cluster",
  "location": "eastus",
  "name": "trg-main-cluster",
  "tags": {
    "Application identifier": "contracts",
    "Business unit": "trg"
  },
  "type": "Microsoft.ContainerService/ManagedClusters",
  "properties": {
    "provisioningState": "Succeeded",
    "powerState": {
      "code": "Running"
    },
    "kubernetesVersion": "1.21.9",
    "dnsPrefix": "5mtk3oknhr5rg",
    "fqdn": "5mtk3oknhr5rg-58fbceab.hcp.eastus.azmk8s.io",
    "azurePortalFQDN": "5mtk3oknhr5rg-58fbceab.portal.hcp.eastus.azmk8s.io",
    "agentPoolProfiles": [
      {
        "name": "npsystem",
        "count": 2,
        "vmSize": "Standard_DS2_v2",
        "osDiskSizeGB": 80,
        "osDiskType": "Ephemeral",
        "kubeletDiskType": "OS",
        "vnetSubnetID": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-network-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-trg-main-cluster-00/subnets/snet-clusternodes",
        "maxPods": 30,
        "type": "VirtualMachineScaleSets",
        "availabilityZones": [
          "1",
          "2",
          "3"
        ],
        "maxCount": 2,
        "minCount": 1,
        "enableAutoScaling": true,
        "provisioningState": "Succeeded",
        "powerState": {
          "code": "Running"
        },
        "orchestratorVersion": "1.21.9",
        "enableNodePublicIP": false,
        "nodeTaints": [
          "CriticalAddonsOnly=true:NoSchedule"
        ],
        "mode": "System",
        "osType": "Linux",
        "osSKU": "Ubuntu",
        "nodeImageVersion": "AKSUbuntu-1804gen2containerd-2022.03.02",
        "upgradeSettings": {
          "maxSurge": "33%"
        },
        "enableFIPS": false
      },
      {
        "name": "vl",
        "count": 1,
        "vmSize": "Standard_DS2_v2",
        "osDiskSizeGB": 120,
        "osDiskType": "Managed",
        "vnetSubnetID": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-network-spokes/providers/Microsoft.Network/virtualNetworks/vnet-spoke-trg-main-cluster-00/subnets/snet-clusternodes",
        "maxPods": 30,
        "type": "VirtualMachineScaleSets",
        "availabilityZones": [
          "1",
          "2",
          "3"
        ],
        "maxCount": 2,
        "minCount": 1,
        "enableAutoScaling": true,
        "provisioningState": "Succeeded",
        "powerState": {
          "code": "Running"
        },
        "orchestratorVersion": "1.21.9",
        "enableNodePublicIP": false,
        "nodeLabels": {
          "tenant": "vl"
        },
        "mode": "System",
        "osType": "Linux",
        "osSKU": "Ubuntu",
        "nodeImageVersion": "AKSUbuntu-1804gen2containerd-2022.03.02",
        "enableFIPS": false
      }
    ],
    "windowsProfile": {
      "adminUsername": "azureuser",
      "enableCSIProxy": true
    },
    "servicePrincipalProfile": {
      "clientId": "msi"
    },
    "addonProfiles": {
      "aciConnectorLinux": {
        "enabled": false,
        "config": null
      },
      "azureKeyvaultSecretsProvider": {
        "enabled": true,
        "config": {
          "enableSecretRotation": "true",
          "rotationPollInterval": "30s"
        },
        "identity": {
          "resourceId": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourcegroups/trg-main-cluster-nodepools/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurekeyvaultsecretsprovider-trg-main-cluster",
          "clientId": "8b8e8201-9e24-4ceb-98e4-0aaf600db9c6",
          "objectId": "360eeba6-d71a-4d8d-9f4c-2d527d27490c"
        }
      },
      "azurepolicy": {
        "enabled": true,
        "config": null,
        "identity": {
          "resourceId": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourcegroups/trg-main-cluster-nodepools/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azurepolicy-trg-main-cluster",
          "clientId": "58c9438f-257b-4400-bd63-b4a853c59cba",
          "objectId": "0679619a-0f0e-4ee4-8d4e-c5e16d70d460"
        }
      },
      "httpApplicationRouting": {
        "enabled": false,
        "config": null
      }
    },
    "nodeResourceGroup": "trg-main-cluster-nodepools",
    "enableRBAC": true,
    "enablePodSecurityPolicy": false,
    "networkProfile": {
      "networkPlugin": "azure",
      "networkPolicy": "azure",
      "loadBalancerSku": "Standard",
      "serviceCidr": "172.16.0.0/16",
      "dnsServiceIP": "172.16.0.10",
      "dockerBridgeCidr": "172.18.0.1/16",
      "outboundType": "userDefinedRouting"
    },
    "aadProfile": {
      "managed": true,
      "adminGroupObjectIDs": [
        "50a513ed-78f2-427b-9f2c-a4aeb1e6fbfb"
      ],
      "enableAzureRBAC": true,
      "tenantID": "db3eca71-68bb-43e0-8ed6-3a53f6dbc0ed"
    },
    "maxAgentPools": 100,
    "apiServerAccessProfile": {
      "enablePrivateCluster": false
    },
    "identityProfile": {
      "kubeletidentity": {
        "resourceId": "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourcegroups/trg-main-cluster-nodepools/providers/Microsoft.ManagedIdentity/userAssignedIdentities/trg-main-cluster-agentpool",
        "clientId": "16c1df5a-e515-47d9-8b50-ca0f425047e2",
        "objectId": "c7c2b9cd-44ed-4368-a3aa-93e3bb6052d4"
      }
    },
    "autoScalerProfile": {
      "balance-similar-node-groups": "false",
      "expander": "random",
      "max-empty-bulk-delete": "10",
      "max-graceful-termination-sec": "600",
      "max-node-provision-time": "15m",
      "max-total-unready-percentage": "45",
      "new-pod-scale-up-delay": "0s",
      "ok-total-unready-count": "3",
      "scale-down-delay-after-add": "10m",
      "scale-down-delay-after-delete": "20s",
      "scale-down-delay-after-failure": "3m",
      "scale-down-unneeded-time": "10m",
      "scale-down-unready-time": "20m",
      "scale-down-utilization-threshold": "0.5",
      "scan-interval": "10s",
      "skip-nodes-with-local-storage": "true",
      "skip-nodes-with-system-pods": "true"
    },
    "podIdentityProfile": {
      "enabled": true
    },
    "disableLocalAccounts": true
  },
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-trg-main-cluster-controlplane": {
        "clientId": "86347c18-a493-4dab-a180-24f4048be343",
        "principalId": "9c491543-28f5-48a2-ab73-b64f3b4dd1be"
      }
    }
  },
  "sku": {
    "name": "Basic",
    "tier": "Paid"
  }
}

DEBUG: Will zip all the files under /home/vlebedev/repos/trg-docs/yamls.
DEBUG: 11:43:46 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'db3eca71-68bb-43e0-8ed6-3a53f6dbc0ed', Scopes:'6dae42f8-4368-4678-94ff-3960e28e3630/.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'vl@sitewish.ru'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ 6dae42f8-4368-4678-94ff-3960e28e3630/.default ] ParentRequestId:
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46] Found 1 cache accounts and 0 broker accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46] Returning 1 accounts
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] MSAL MSAL.NetCore with assembly version '4.30.1.0'. CorrelationId(e0b143a7-ba94-4f6c-bfab-0f2a358ffafe)
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] === AcquireTokenSilent Parameters ===
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] LoginHint provided: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Account provided: True
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] ForceRefresh: False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ]
=== Request Data ===
Authority Provided? - True
Scopes - 6dae42f8-4368-4678-94ff-3960e28e3630/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - e0b143a7-ba94-4f6c-bfab-0f2a358ffafe

DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] === Token Acquisition (SilentRequest) started:

        Authority Host: login.microsoftonline.com
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Azure region was not configured or could not be discovered. Not using a regional authority.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Access token is not expired. Returning the found cache entry. [Current time (03/12/2022 10:43:46) - Expiration Time (03/12/2022 11:12:15 +00:00) - Extended Expiration Time (03/12/2022 11:12:15 +00:00)]
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Returning access token found in cache. RefreshOn exists ? False
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] Fetched access token from host login.microsoftonline.com.
DEBUG: (False) MSAL 4.30.1.0 MSAL.NetCore Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 [03/12/2022 10:43:46 - ] === Token Acquisition finished successfully. An access token was returned with Expiration Time: 03/12/2022 11:12:15 +00:00 and Scopes 6dae42f8-4368-4678-94ff-3960e28e3630/user_impersonation 6dae42f8-4368-4678-94ff-3960e28e3630/.default
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ 6dae42f8-4368-4678-94ff-3960e28e3630/.default ] ParentRequestId:  ExpiresOn: 2022-03-12T11:12:15.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://management.azure.com/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ContainerService/managedClusters/trg-main-cluster/runCommand?api-version=2021-05-01

Headers:
x-ms-client-request-id        : a03e2319-d882-47c9-86ad-b093af337957
Accept-Language               : en-US

Body:
{
  "command": "helm install new-tenant new-tenant",
  "context": "UEsDBBQAAAAIAHddbFQW7DIn8QAAAF0BAAAWAAAAbmV3LXRlbmFudC8uaGVsbWlnbm9yZUxPQU7DMBC8+xWLeoEK2Y9oOXACKahX5MRbe6ljW/YmAQ68nU2qCi6j3dmZ8XgHr5YZa2rAGcinXBGWgAn6iaKj5KHY4WI9Nq128BaoQZtKyZVlCBgj+Jh7GC0PQdSPUDFaphnFx+Efb5OTgIRerjnBfal4pk90sJDo7h40vKT4BTltzrUSFKwQKaFW+ti9dyzdJOKQx1ECTocOHNWmtCc2G17rK91/V7PhjQjerHBb25zMX1Av/5sKnCliU3vdliLY24sgj+ucJUftf8RxspXy1OD5+CTvlpo/cGClyaE1V7lQSs9tyA6N+gUAAP//AwBQSwMEFAAAAAgAd11sVDrBZw2QAwAAVQcAABYAAABuZXctdGVuYW50L3ZhbHVlcy55YW1sjFVNb9tGEL3zVwziQy6W4uQU8CY4aGHAdoTYblEUPayWQ3Hb5S67H5LZov+9b5aU5DgKEECAyN03X2/eDC/oE7cq20Q7ZTNHan0gx/tFYqdcWlYX9NiZSPgp+m11d7sAoFcpcUOtsSyAT6ytCgwPwaiNhZPkacM0qBgBMw6vo8+BEveDVYnjsqoCD9Zode2zSzW9ryrTqy3XFRFufDTJh7EmtzXuGWdDtnbtYYCzm/bep3XgyC7h6oI+7zgE00jcjqn4oaS2tO98ZGrm+sx0rTsVEqlh+IVDNN4t4QLgmt68mXNYI9YD68Ap1vT7H5VTPR9CFFgLwDeHVeSwM5pXWpeSSmYPA2vTGmS27xjRA0iccaQmIMXOZ9sIXwgJchpYTk81pZC5OFo555NKyLeQq5pG/qSeV+6AVidsTf/+V+wfgZSUybfnrMRZjrws2JuW4AAQ0OSaOZdCH7K5RAXFEd637DhIxrA1blscH7g59hou5X3iaPDN6lV2cga2czBpvPYu8XM6Zt3Gn4PPQ00frq6uhOHzMK0GtTHWJBA98U7UBD8cnhe0ur0tzyil+ezs+MX79BPUG8eIPF/wHLJbxXvvBPD6+AmkQalzKoU/iZDGAdVd2wxX4WYtYvUBxh8BAyvQaUkK44TRaGpqlY3iFTMT4/2BmnNtk8h/5Q0HxzIzxr+b/S2L7Wk6vgUmGxdKF99ShPjHMKSSiRAiL/U0Cwt+VmgVL63XypZ7lKBSN4MnAzmo6d3xZII8ltpvxLzHNJbsZ81rocZOE1TasICiZKimkr8KvQBw7tUpzYtD6HNZYn1EbBTNJ4n/ypBhVtaOaLP2PRJqipCh7VhyGo+74GhdFA6AZbWDZmXTKdl0Gl3QxucpLd15GRZZjaJxTEpYTmsRvfRYcDIjEd6QqtPTf0hRZEPeofU7E7wThrAITOoIWk12ltYhlUuKWXcS/s44I+1cyihicVLjaa/cV5W8MMtuqjZNA+it9XsIpXi3xglENX9CnnLfSwDHMIwqjJel/sC9L9VjBeUA/jZBFW5aKJrenqh+u5yd9ubUIz3kMhX9/N7Dm6zu9x8+3pm5xL/xZflRi0rl5COajBrODk5v3Jfp4xHlw4ED9fziAOMpGz1sOV2vn54SFsM/RZhrRhEQKb4yMpwSe4LdlfjfR1bON/zAljU+StPSSt7K6puGFQqvVNuia2ks1/8DAAD//wMAUEsDBBQAAAAIAHddbFRwkbIXDAIAAHoEAAAVAAAAbmV3LXRlbmFudC9DaGFydC55YW1sjFQ7k9MwEO79K3YuRWAGlISC4jo6GOi4oVekdSxOL/Rw8L9n14oTXxhuKCWtvteuJKP5gSmb4B9h/NB56fARPJ7fF/TSl05jVsnEMhd8gs9oHahBpgJ9SPC1HjF5LJi7bkPH7URJD0cENGXABLTYyhitUZJRtkD3JGytOSaZpm27I7oNA9zK2nYGmZCqVbAW1bwfeijoopVECmWQV7oo1bM8oQbjS4CxmaKlTGowIyncAO1TocZow4S6cX5rOha+mMJoNELN2FcLtRhriiEqUt1XP2vIs3cyd/GrcUQbIiYBTwNOW5JsvLJVMzvzSuZEr9GriQ3Iv32SNON/kkfCDRlXxNLrFfNsjqkT4yXjT4QfTURrPIp7NzqADyywp1NCmlbZMS43CMkMcohc+SKeMkUahpVYbvLTYEhFXtm/RC3a0WUFvjqaDchDqFYzLkWS0KEvlApKNUAxDmEKFZx8nrH8aenSDZxVGs5n0f3uki05n8tI3lUBXb4Mcxsc/B0pUeIjyJ5GKJzhOzoaa6OWQoZ5M5QS8+Nul9ERlAjptHvbjcuz2IuD2N9bv7PJU9nEXBt7RMa+pvl6OoT+f/ks6ayYxEvT3MaVcUL+t/U2sIsMGgXbJvDm794VeaiZbxLul8LLhCo4x9M450wPhxoGZ3r88KsG6pjoCOD6yTwcxOGj2D90fwAAAP//AwBQSwMEFAAAAAgAd11sVK2PGtOEAAAArAAAACIAAABuZXctdGVuYW50L3RlbXBsYXRlcy9uYW1lc3BhY2UueW1sZI0xDsIwEAR7v+I+gBGtJb5AhegPe6VYcc6W70wT5e84tHSj1WiWW36ha64S6HNza5YU6MEbtHGE22Cc2Dg4kjkG2nfyTwiLnRIdhyMWqcY2Ezo1Io0L0ijonktb2K/jjS4wqM/1KjXhoiiIVnsg+7Xu/1ltiPNuwmwPPfELAAD//wMAUEsBAhQDFAAAAAgAd11sVBbsMifxAAAAXQEAABYAAAAAAAAAAAAAAAAAAAAAAG5ldy10ZW5hbnQvLmhlbG1pZ25vcmVQSwECFAMUAAAACAB3XWxUOsFnDZADAABVBwAAFgAAAAAAAAAAAAAAAAAlAQAAbmV3LXRlbmFudC92YWx1ZXMueWFtbFBLAQIUAxQAAAAIAHddbFRwkbIXDAIAAHoEAAAVAAAAAAAAAAAAAAAAAOkEAABuZXctdGVuYW50L0NoYXJ0LnlhbWxQSwECFAMUAAAACAB3XWxUrY8a04QAAACsAAAAIgAAAAAAAAAAAAAAAAAoBwAAbmV3LXRlbmFudC90ZW1wbGF0ZXMvbmFtZXNwYWNlLnltbFBLBQYAAAAABAAEABsBAADsBwAAAAA=",
  "clusterToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiI2ZGFlNDJmOC00MzY4LTQ2NzgtOTRmZi0zOTYwZTI4ZTM2MzAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9kYjNlY2E3MS02OGJiLTQzZTAtOGVkNi0zYTUzZjZkYmMwZWQvIiwiaWF0IjoxNjQ3MDc4ODE0LCJuYmYiOjE2NDcwNzg4MTQsImV4cCI6MTY0NzA4MzUzNiwiYWNyIjoiMSIsImFpbyI6IkFXUUFtLzhUQUFBQXVlcWFaNzBLTTRmSzVVZGNEZ1pXaXhMSlRNT29BOXA1ME01SU9QOEhlbm5NS05yRWZ0WkI3T3V3amVsOXJUUTdDK0J1NWY3Rzk5Z2JuWUUvcVQ0VWlWTjY0aHdsMzAzVkZ5Q1RlQ0JsTG1IMDFTZE04RlJJdGpKcFBSY2xFWE55IiwiYWx0c2VjaWQiOiIxOmxpdmUuY29tOjAwMDM3RkZFNDgyMzRFMEQiLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcGlkIjoiMTk1MGEyNTgtMjI3Yi00ZTMxLWE5Y2YtNzE3NDk1OTQ1ZmMyIiwiYXBwaWRhY3IiOiIwIiwiZW1haWwiOiJ2bEBzaXRld2lzaC5ydSIsImZhbWlseV9uYW1lIjoiTGViZWRldiIsImdpdmVuX25hbWUiOiJWaXRhbGlpIiwiZ3JvdXBzIjpbIjUwYTUxM2VkLTc4ZjItNDI3Yi05ZjJjLWE0YWViMWU2ZmJmYiIsImYyNjY0NTE3LWE4OTctNGEwNC04Zjg0LTdhMmY4YTFkMTBlZSJdLCJpZHAiOiJsaXZlLmNvbSIsImlwYWRkciI6IjkxLjkwLjQ0Ljg0IiwibmFtZSI6IlZpdGFsaWkgTGViZWRldiIsIm9pZCI6ImY1NzIwOGNiLTQzZmYtNGM4ZS1hOGZiLTFlNWFjZTUxZmYyMyIsInB1aWQiOiIxMDAzMjAwMUQyRDk2RUMzIiwicmgiOiIwLkFVNEFjY28tMjd0bzRFT08xanBUOXR2QTdmaENybTFvUTNoR2xQODVZT0tPTmpCT0FEVS4iLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJyMmJST0ZPMnNPdnZkdHZETHNWVFlnSWV6TE0wWXJCQ2ZSTHdFU1V6Nk5nIiwidGlkIjoiZGIzZWNhNzEtNjhiYi00M2UwLThlZDYtM2E1M2Y2ZGJjMGVkIiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSN2bEBzaXRld2lzaC5ydSIsInV0aSI6IkRpUml3Wm54MGs2VVVZLVNXQkZaQUEiLCJ2ZXIiOiIxLjAiLCJ3aWRzIjpbIjYyZTkwMzk0LTY5ZjUtNDIzNy05MTkwLTAxMjE3NzE0NWUxMCIsImI3OWZiZjRkLTNlZjktNDY4OS04MTQzLTc2YjE5NGU4NTUwOSJdfQ.cVS8HE5cHiZGulSH_NWv6DJoKyyfEqmbpaiYzFp-_ZC9GKWyMbMGhT0Dv5NlXi5odG26_1I-Su8So9fKaOyHIut1-W7dsgtyHVNyjdNVxxYLOS1BIkE1srEvcThoQ2Xv2TNTdhuicVt93nJcLidIcd21sPtOhAzT157G4T7Sx9mQqQ4fiBvUAfYBheenLaVHb2GkIkh24QVAxEMTHdvZA7nd8be1XhkwAd34utQTXYVUUYReCC_qeT9jz7qqnu43ys82NHlQmP-cbV7MRiEis1MRQPsGy6ba0SJkuDM8L3IekQv9fCwZg2GakYXR6ddnwqGEaL0EkwB_NQd8n57MxQ"
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Accepted

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Location                      : https://management.azure.com/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ContainerService/managedclusters/trg-main-cluster/commandResults/e538157ba57e426a8cb4e957de5a7b13?api-version=2021-05-01
x-ms-ratelimit-remaining-subscription-writes: 1194
x-ms-correlation-request-id   : 6e27023b-3c25-4285-9f90-28df7074179b
x-ms-request-id               : e538157b-a57e-426a-8cb4-e957de5a7b13
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Server                        : nginx
x-ms-routing-request-id       : NORWAYEAST:20220312T104352Z:6e27023b-3c25-4285-9f90-28df7074179b
X-Content-Type-Options        : nosniff
Date                          : Sat, 12 Mar 2022 10:43:51 GMT

Body:

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ContainerService/managedclusters/trg-main-cluster/commandResults/e538157ba57e426a8cb4e957de5a7b13?api-version=2021-05-01

Headers:
x-ms-client-request-id        : a03e2319-d882-47c9-86ad-b093af337957

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11981
x-ms-correlation-request-id   : 2c0490fd-224d-4e54-8bf4-f66d0ca279e0
x-ms-request-id               : 4880287d-d8bf-4435-ab3d-6569267537c2
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Server                        : nginx
x-ms-routing-request-id       : NORWAYEAST:20220312T104422Z:2c0490fd-224d-4e54-8bf4-f66d0ca279e0
Date                          : Sat, 12 Mar 2022 10:44:22 GMT

Body:
{
  "id": "e538157ba57e426a8cb4e957de5a7b13",
  "properties": {
    "provisioningState": "Succeeded",
    "exitCode": 1,
    "startedAt": "2022-03-12T10:43:58Z",
    "finishedAt": "2022-03-12T10:43:58Z",
    "logs": "Error: open /command-files/new-tenant/.helmignore: permission denied\n"
  }
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/fd0d8686-c438-4b8f-9427-5bf2682fecf8/resourceGroups/rg-main-cluster/providers/Microsoft.ContainerService/managedclusters/trg-main-cluster/commandResults/e538157ba57e426a8cb4e957de5a7b13?api-version=2021-05-01

Headers:
x-ms-client-request-id        : a03e2319-d882-47c9-86ad-b093af337957

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11980
x-ms-correlation-request-id   : a58cffc9-496d-467e-bd9e-bbec58bcc7c6
x-ms-request-id               : 25d9a9e9-3b97-4a0d-b6c6-c3f24cb33a6d
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Server                        : nginx
x-ms-routing-request-id       : NORWAYEAST:20220312T104423Z:a58cffc9-496d-467e-bd9e-bbec58bcc7c6
Date                          : Sat, 12 Mar 2022 10:44:23 GMT

Body:
{
  "id": "e538157ba57e426a8cb4e957de5a7b13",
  "properties": {
    "provisioningState": "Succeeded",
    "exitCode": 1,
    "startedAt": "2022-03-12T10:43:58Z",
    "finishedAt": "2022-03-12T10:43:58Z",
    "logs": "Error: open /command-files/new-tenant/.helmignore: permission denied\n"
  }
}

Id                : e538157ba57e426a8cb4e957de5a7b13
ProvisioningState : Succeeded
ExitCode          : 1
StartedAt         : 03/12/2022 10:43:58
FinishedAt        : 03/12/2022 10:43:58
Logs              : Error: open /command-files/new-tenant/.helmignore: permission denied

Reason            :

DEBUG: AzureQoSEvent: Module: Az.Aks:3.1.1; CommandName: Invoke-AzAksRunCommand; PSVersion: 7.2.1; IsSuccess: True; Duration: 00:00:37.9216352
DEBUG: Finish sending metric.
DEBUG: 11:44:23 - RunAzureRmAksCommand end processing.

Environment data

PS /home/vlebedev/repos/trg-docs> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP …
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS /home/vlebedev/repos/trg-docs> Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.7.2                 Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script     3.1.1                 Az.Aks                              {Disable-AzAksAddOn, Enable-AzAksAddOn, Get-AzAksCluster, Get-AzAksNodePool…}

Error output

No response

dingmeng-xue commented 2 years ago

Thanks for reporting. We will look into it.

wyunchi-ms commented 2 years ago

Hi @vitalii-lebedev , as your log shows:

Id                : 19004189917e4a489eef28803e6e8392
ProvisioningState : Succeeded
ExitCode          : 0
StartedAt         : 03/12/2022 10:37:32
FinishedAt        : 03/12/2022 10:37:32
Logs              : total 24
                    drwxr-xr-x 3 nonroot aks 4096 Mar 12 10:37 .
                    drwxr-xr-x 3 nonroot aks 4096 Mar 12 10:37 ..
                    ---------- 1 nonroot aks  349 Mar 12  2022 .helmignore
                    ---------- 1 nonroot aks 1146 Mar 12  2022 Chart.yaml
                    drwxr-xr-x 2 nonroot aks 4096 Mar 12 10:37 templates
                    ---------- 1 nonroot aks 1877 Mar 12  2022 values.yaml

Reason            :

nonroot doesn't have permission to access .helmignore. I think you need to grant the permission for the file first.

ghost commented 2 years ago

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

vitalii-lebedev commented 2 years ago

Hi @wyunchi-ms. Sorry, but I don't understand how your advice can help me to solve the issue. Locally I have all the required permissions. The output you see is from the remote AKS. 1) So, again, locally I have all the permissions. 2) Execution of the Invoke-AzAksRunCommand command with -CommandContextAttachment parameters copied the folder defined in this parameter to the server. 3) But after copying from the local machine to the remote host the permissions are lost.

Again, I don't copy this folder manually. Everything is done by Invoke-AzAksRunCommand and -CommandContextAttachment parameter.

Zaldos commented 2 years ago

I am also having this issue. Locally everyone has permissions to read (this is ran from Microsoft hosted agent running in an Azure DevOps pipeline): image

However on using Invoke-AzAksRunCommand the files lose read permissions (ran Invoke-AzAksRunCommand with the command ls -la and also attempted a helm install in the same line) image

It does seem to be an issue with transferring files to wherever this runs from.

vitalii-lebedev commented 2 years ago

Hey @Zaldos! I found a workaround. It looks ugly but at least it works.

Invoke-AzAksRunCommand -ResourceGroupName resource-group -Name cluster-name -Command "chmod -R 777 namespace && $cmd" -Force -CommandContextAttachment "yamls"
wyunchi-ms commented 2 years ago

Hi @vitalii-lebedev & @Zaldos, sorry for causing trouble for you. As I investigated that the zip API we used in DotNet Standard doesn't support well in Linux. And we don't have a plan to migrate it to DotNet Core in recently. I will add a new parameter CommandContextAttachmentZip to supply a workaround for Linux users. You can zip your folder locally and pass the path to this parameter. This feature will be published around next release.