search

maniSbindra / az-mpf

Azure Deployments Minimum Permissions Finder (ARM, Terraform, Bicep)
Other
29 stars 1 forks source link

Not working in windows machine #42

Open grb247 opened 3 months ago

grb247 commented 3 months ago

Tried - Installed az-mpf_0.8.0_windows_arm64.tar.gz tar -xzf az-mpf_0.7.0_windows_amd64.tar.gz mv az-mpf_0.7.0_windows_amd64 az-mpf.exe chmod +x ./az-mpf.exe

After setting up the environment - I'm getting error time="2024-08-05T19:57:08+05:30" level=info msg="Creating Resource Group: testdeployrg-NJv7zB8 \n"

time="2024-08-05T19:57:08+05:30" level=fatal msg="PUT [https://management.azure.com/subscriptions/014e74-xxxe--6508a/resourcegroups/testdeployrg-NJv7zB8] (https://management.azure.com/subscriptions/014e74-xxxe--6508a/resourcegroups/testdeployrg-NJv7zB8/n--------------------------------------------------------------------------------/nRESPONSE) 401: 401 Unauthorized\nERROR CODE: InvalidAuthenticationTokenTenant\n--------------------------------------------------------------------------------\n{\n \"error\": {\n \"code\": \"InvalidAuthenticationTokenTenant\",\n \"message\": \"The access token is from the wrong issuer 'https://sts.windows.net/33e0-xxx-daffd5e33d/'. It must match the tenant 'https://sts.windows.net/72f988-xx-1db47/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/72f988-xx-1db47' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.\"\n }\n}\n

Tried multiple thing but still it's picking different access token to authenticate instead of what we set in az account.

maniSbindra commented 3 months ago

@grb247 can you please share version of az cli you are using? I understand that now the token encryption / caching of tokens now works differently with az cli on windows, which could be the reason. I will need to investigate this further. Were you able to get around this either using wsl or bash cloud shell?

grb247 commented 3 months ago

@maniSbindra "azure-cli": "2.59.0", "azure-cli-core": "2.59.0", "azure-cli-telemetry": "1.1.0",

no did not try wsl from azure cmd linux env it's working

maniSbindra commented 2 months ago

Hi @grb247 I tested on windows 11 machine using power shell, and the utility worked as expected. 

$env:MPF_SUBSCRIPTIONID="SUB_ID"
$env:MPF_TENANTID="TENANT_ID"
$env:MPF_SPCLIENTID="CLIENT_ID"
$env:MPF_SPCLIENTSECRET="CLIENT_SECRET"
$env:MPF_SPOBJECTID="OBJECT_ID"

PS C:\Users\testuser\repos\az-mpf> ..\..\Downloads\az-mpf-windows-amd64.exe  arm --templateFilePath ./samples/templates/aks-private-subnet.json --parametersFilePath ./samples/templates/aks-private-subnet-parameters.json --verbose
time="2024-08-11T03:53:38-07:00" level=info msg="Executing MPF for ARM"
time="2024-08-11T03:53:38-07:00" level=info msg="TemplateFilePath: ./samples/templates/aks-private-subnet.json\n"
time="2024-08-11T03:53:38-07:00" level=info msg="ParametersFilePath: ./samples/templates/aks-private-subnet-parameters.json\n"
time="2024-08-11T03:53:38-07:00" level=info msg="roleDefinitionResourceID: /subscriptions/SSSSSSS-SSSSSS-SSSSS-SSSSSSSSSSSS/providers/Microsoft.Authorization/roleDefinitions/e6be5822-e3ba-4d5a-bf42-b8a7914d6c3d"
time="2024-08-11T03:53:49-07:00" level=info msg="Creating Resource Group: testdeployrg-CyF9AW9 \n"
time="2024-08-11T03:53:53-07:00" level=info msg="Resource Group: testdeployrg-CyF9AW9 created successfully \n"
time="2024-08-11T03:53:55-07:00" level=info msg="Deleted all existing role assignments for service principal \n"
time="2024-08-11T03:53:55-07:00" level=info msg="Initializing Custom Role"
time="2024-08-11T03:54:00-07:00" level=info msg="Custom role initialized successfully"
time="2024-08-11T03:54:00-07:00" level=info msg="Assigning new custom role to service principal"
time="2024-08-11T03:54:04-07:00" level=info msg="New Custom Role assigned to service principal successfully"
time="2024-08-11T03:54:04-07:00" level=info msg="Adding initial permissions to requiredPermissions map"
time="2024-08-11T03:54:09-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:11-07:00" level=info msg="Whatif Results Response Received.."
time="2024-08-11T03:54:11-07:00" level=info msg="Successfully Parsed Deployment Authorization Error"
time="2024-08-11T03:54:11-07:00" level=info msg="Adding mising scopes/permissions to final result map..."
time="2024-08-11T03:54:11-07:00" level=info msg="Adding permission/scope to role..........."
time="2024-08-11T03:54:17-07:00" level=info msg="Permission/scope added to role successfully"
time="2024-08-11T03:54:24-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:26-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:27-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:28-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:29-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:30-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:32-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:33-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:34-07:00" level=info msg="Whatif Results Response Body is empty, retrying in a bit..."
time="2024-08-11T03:54:36-07:00" level=info msg="Whatif Results Response Received.."
time="2024-08-11T03:54:36-07:00" level=warning msg="Post Authorizaton error occured: {\"status\":\"Failed\",\"error\":{\"code\":\"InvalidTemplateDeployment\",\"message\":\"The template deployment 'testDeploy-mTnwNgn' is not valid according to the validation procedure. The tracking id is 'b121f10a-3bda-45d7-8b28-5e4e3c4d564b'. See inner errors for details.\",\"details\":[{\"code\":\"InvalidParameter\",\"message\":\"Preflight validation check for resource(s) for container service azmpfakstestcluster in resource group testdeployrg-CyF9AW9 failed. Message: Required parameter servicePrincipalProfile is missing (null).. Details: \"}]}}"
time="2024-08-11T03:54:36-07:00" level=info msg="Authorization Successful"
time="2024-08-11T03:54:36-07:00" level=info msg="Cleaning up resources..."
time="2024-08-11T03:54:36-07:00" level=info msg="*************************"
time="2024-08-11T03:54:36-07:00" level=info msg="No additional cleanup needed in WhatIf mode"
time="2024-08-11T03:54:36-07:00" level=info msg="*************************"
time="2024-08-11T03:54:43-07:00" level=info msg="Role definition deleted successfully"
time="2024-08-11T03:54:46-07:00" level=info msg="Resource group deletion initiated successfully..."
------------------------------------------------------------------------------------------------------------------------------------------
Permissions Required:
------------------------------------------------------------------------------------------------------------------------------------------
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
------------------------------------------------------------------------------------------------------------------------------------------

I am not sure why you are getting the "The access token is from the wrong issuer" error.

@grb247 which windows version are you using?