Open prutsert opened 1 year ago
@prutsert confirming, this scenario is working for you currently. However, the main ask here is to improve our error messaging?
Hi @cachai2 That's correct, I eventually managed to get things up and running, but it took a lot of troubleshooting. Detailed logging was also missing in ContainerAppSystemLogs_CL.
This issue is a: (mark with an x)
Issue description
I created a Container Apps Environment (CAE) with internal VNet only connectivity:
I created a Key Vault, and added a secret that needs to be used by the Container Apps Job I'm about to deploy. I enabled network access restrictions on the Key Vault, so that only the VNets/Subnets provided in the allow list have access. But (here's what I found out after a couple of hours troubleshooting): I forgot to add mySubnetId to that allow list.
I created a Managed Identity, that has Get Secret permission on the Key Vault.
I am using Bicep to deploy a Container Apps Job to the CAE, with secrets referencing the Key Vault (using the Managed Identity I just created). The deployment fails, after 10 minutes, with the message:
Failed to provision revision for container app 'my-container-apps-job'. Error details: Operation expired. (Code: ContainerAppOperationError)
. There is no hint as to what the actual reason was, why this deployment failed.Similar behaviour is mentioned as a side effect in #646 , where deploying a Container App with an identity that has no access to the container registry, ends up with the same timeout message, without telling what is actually wrong.
Steps to reproduce
Expected behavior [What you expected to happen.] A descriptive error message, stating that the deployment failed because the Key Vault couldn't be accessed. Preferably including the reason why,
"code": "ForbiddenByFirewall"
in this case.Actual behavior [What actually happened.] No relevant error message at all, just a deployment timeout.
Additional context
Ex. Did this issue occur in the CLI or the Portal? The problem occurs when deploying the Container Apps Job using Bicep. Not tested what would happen when the deployment is done using
az containerapp job ....