Open erwinkramer opened 1 month ago
Thanks, @erwinkramer. We are looking into this.
Thanks, @erwinkramer. We are looking into this.
I did some other test to confirm the deployment stack permission scope isn't limited to the subscription (which makes some sense if i interpret the docs). So, I did az stack mg create
on the same management group that hosts the Azure Policies and assignments, so every resource the deployment stack proces has to reach is on the same level, or lower. But still, it gives the same permission error, with correlation id d506bf15-7dec-407a-97d2-1ad9787f9d87
.
@erwinkramer The mg scoped stack deployment that you did, was there any deployment scope property set to it or was it deployed to the same mg scope as well?
@Xynoclafe same scope, no explicit reference
A fix for this issue has been checked in and should be deployed and ready to use over the coming few weeks.
Describe the bug Failing stack deployment, pointing towards an internal Microsoft identity called
Azure Deployments
with app id3b990c8b-9607-4c2a-8b04-1d41985facca
. This app is completely unknown to me, it's not my identity, not our tenant's. It's only as an Enterprise App in our environment, so it makes sense that we don't give it permissions.To Reproduce Make this
main.bicep
:Make the following
modules/exemption-rg.bicep
module:and the type
types/exemption.bicep
:Deploy as a stack to failure:
Throws (capital words are added to hide our IDs):
The following works with the same bicep, so nothing really wrong with the bicep itself:
To be clear, im using az login and my own user-account with both the working and failing statement, so no service principal involved at our side.
Expected behavior The stack should not fail. It does create a stack now, but in a failed state for the
Deployment
resource.Repro Environment azure-cli version: 2.63.0 Bicep CLI version 0.29.47
Server Debugging Information Correlation ID: c1676b37-4c47-4a9a-b0eb-8a879f1b0e98 Tenant ID: 9ecbd628-0072-405d-8567-32c6750b0d3e Timestamp of issue (please include time zone): 8/28/2024, 5:07:01 PM (CET) Data Center (eg, West Central US, West Europe): west europe