Closed slavizh closed 10 months ago
Hey @slavizh, thanks for creating this issue. Could you email me the template used?
sent.
@slavizh you're deploying the stack with the option -DenySettingsMode DenyWriteAndDelete
but you're not specifying any exclusions to these settings. You could try adding your own principal to -DenySettingsExcludedPrincipal
.
I did notice when I has this issue myself that I had to run the deployment twice before it worked.
@sqlkabouter it should not be the case. If you have permissions on the stack you should be able to manage it without having to exclude the account you run it with.
@dantedallag any update?
@slavizh Still investigating. I'm able to reproduce, but it seems to be something that is only a problem with role assignments. While we continue to look into it, let us know if you have faced the same issue with any other resource type.
@dantedallag ok, great. Being able to reproduce it is good and that is only scoped to role assignments.
HI @slavizh - we have a fix for this rolling out. We will confirm and close this issue once complete.
Hi @slavizh - quick update, the fix for this issue is currently being rolled out to all regions. We will confirm once all regions are deployed.
Hi @slavizh - the fix for this has been deployed. Can you please confirm before we close the issue? Thanks!
@azcloudfarmer I am still experiencing the issue. Location West Europe.
New-AzSubscriptionDeploymentStack: 13:30:19 - The deployment 'lz-role-assignments' failed with error(s). Showing 3 out of 3 error(s).
Error: Code=DeploymentStackDeploymentFailed; Message=One or more resources could not be deployed. Correlation id: '9e42c3a4-9f06-411c-ae0a-65abbd46e878'.
Error: Code=DeploymentFailed; Message=At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
Error: Code=InvalidTemplateDeployment; Message=The template deployment failed with error: 'Deny assignment check failed for template resource 'bbc05547-14fd-5292-87b0-09c6812fad7f' of type 'Microsoft.Authorization/roleAssignments'. The client '<upn>' with object id '<GUID>' has the permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<Sub ID>/providers/Microsoft.Authorization/roleAssignments/bbc05547-14fd-5292-87b0-09c6812fad7f' but is blocked by deny assignment.'.
@azcloudfarmer nevermind. turned out that it requires the latest Az.Resources version and I was using an old one.
Describe the bug I have deployed a stack and it was successful. After trying to apply the stack again I get failure due to deny assignment. I have not changed anything in the stack's configuration. In both times I am using the same account (outlook account, not sure if that is the issue).
To Reproduce Below there is correlation ID in order to investigate what is happening. I have redacted some information. If you need some other information I can send it in e-mail. I have done some tests before with the same template and account and never got this problem.
Repro Environment Host OS: Windows 11 Powershell Version: 7.3.6