[ALM Accelerator - BUG]: Deployment of solution fails due to a 'user not being authorized to read secrets'

[wiskaso]

Describe the issue

I've been trying to use the deployment pipelines to update one of my solutions which contains environment variables that are secrets and make use of Azure Key Vault. I have deployed this solution multiple times after adding the environment variables sometime last year. Recently, however, I went to an update to a custom connector contained within this solution and the subsequent deployment failed. The error message I'm getting is as follows:

Import failed: User is not authorized to read secrets from '/subscriptions/{GUID}/resourceGroups/{Resource Group}/providers/Microsoft.KeyVault/vaults/{key vault}' resource.

Expected Behavior

The pipeline completes as usual and updates the solution.

What component are you experiencing the issue with?

ALM Accelerator Pipelines

What solution version are you using?

December 2022

Steps To Reproduce

1. Update solution in dev environment
2. Extract solution using extract solution pipeline
3. Deploy solution to test, pre-merge build-policy attempts to build and install the solution in to validation
4. Gets to import solution as update and fails

Anything else?

The pipeline itself provides no useful output:

However, the error I mentioned above can be seen from the maker portal, under the solution's history tab:

AB#1018

[wiskaso]

Interestingly enough, I am still able to import the unmanaged solution in to a developer environment via the ALM app/ import unmanaged solution pipelines.

For now my current workaround for the managed versions is to manually download the artifact and install it in to the target environments I want via the maker portal which is working.

The odd part is that we had successful deployments on March 16 for that solution (which already had the environment variable secrets for sometime) using the exact versions of the ALM and ALM pipelines I tried to use today. So outside of the changes in solution itself, we haven't introduced any changes from last month until now.

[mikefactorial]

@wiskaso best I can tell it looks like the service principal doesn't have access to the secret in Key Vault but it's odd that it was working previously and not anymore. Could be something that changed in the platform.

[wiskaso]

@mikefactorial, I thought that was the case as well but then I setup a test flow that uses the Dataverse's unbound action "RetrieveEnvironmentVariableSecretValue" using the Service Princpal as the connection and can successfully retrieve the key.. I'm not certain if that's a good test of this though. A couple other things I tested out were granting full contributor access to the SP and tried to manually run the pac import solution command the pipeline uses for both Import Managed Solution as updates/upgrades step against another environment and I got the same error.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1.0.20230420.1_managed.zip --async true --import-as-holding false --force-overwrite true --publish-changes false --skip-dependency-check false --convert-to-managed false --max-async-wait-time 60 --activate-plugins true
Connected to... XX
Connected as XXX

Solution Importing...

Waiting for asynchronous operation 51a51190-c8df-ed11-8847-000d3a0a2267 to complete with timeout of 01:00:00

Processing asynchronous operation... execution time: 00:00:00 and 0.00% complete

Processing asynchronous operation... execution time: 00:00:04 and 0.12% complete

Processing asynchronous operation... execution time: 00:00:08 and 0.24% complete

Processing asynchronous operation... execution time: 00:00:12 and 0.36% complete

Processing asynchronous operation... execution time: 00:00:17 and 0.48% complete

Processing asynchronous operation... execution time: 00:00:21 and 0.60% complete

Processing asynchronous operation... execution time: 00:00:25 and 0.72% complete

Processing asynchronous operation... execution time: 00:00:30 and 0.84% complete

Processing asynchronous operation... execution time: 00:00:34 and 0.96% complete

Processing asynchronous operation... execution time: 00:00:38 and 1.08% complete

Processing asynchronous operation... execution time: 00:00:43 and 1.20% complete

Processing asynchronous operation... execution time: 00:00:47 and 1.32% complete

Processing asynchronous operation... execution time: 00:00:51 and 1.44% complete

Processing asynchronous operation... execution time: 00:00:56 and 1.56% complete

Asynchronous operation 51a51190-c8df-ed11-8847-000d3a0a2267 failed within 00:01:00.3561653.

The reason given was: An unexpected error occurred.
Microsoft PowerPlatform CLI
Version: 1.22.2+g401780b

Error: The async operation completed with a statuscode of Failed.

Usage: pac solution import [--path] [--activate-plugins] [--force-overwrite] [--skip-dependency-check] [--import-as-holding] [--publish-changes] [--convert-to-managed] [--async] [--max-async-wait-time] [--settings-file]

  --path                      Path to solution zip file. If not specified, assumes the current folder is a cdsproj project. (alias: -p)
  --activate-plugins          Activate plug-ins and workflows on the solution (alias: -ap)
  --force-overwrite           Force an overwrite of unmanaged customizations (alias: -f)
  --skip-dependency-check     Skip dependency check against dependencies flagged as product update (alias: -s)
  --import-as-holding         Import the solution as a holding solution (alias: -h)
  --publish-changes           Publish your changes upon a successful import (alias: -pc)
  --convert-to-managed        Convert as Managed Solution (alias: -cm)
  --async                     Imports solution asynchronously (alias: -a)
  --max-async-wait-time       Max asynchronous wait time in minutes. Default value is 60 minutes (alias: -wt)
  --settings-file             The .json file with the deployment settings for connection references and environment variables.

PS C:\dev\Work Items\troubleshooting>

[wiskaso]

@mikefactorial I was wondering if you had the ability to look in to this anymore or if there was something else I can do to provide back to you guys?

[wiskaso]

@mikefactorial Just an update - the import unmanaged solution pipeline is now failing too.

[mikefactorial]

Thanks for the update @wiskaso apologize for the delay. Will look into what the issue is here and if something changed in the platform that is causing this.

[mikefactorial]

@RajeevPentyala lets have a look at this tomorrow when we meet

[lildent]

this is interesting as we experienced the same issue last week. we had numerous pipelines which were working the week before. then all of a sudden last week. they stopped working with the same issue.

I even created a new Service Principle account and double checked all the permissions. and still no luck

following to see if anyone else has this issue

Would be really good if we had a verbose feature. which showed the GUIDS of the actual user its trying to read the Keys from. for debugging... and better errors

[mikefactorial]

@lildent thanks for the update. Still looking into this. Have you tried enabling sysstem diagnostics on the pipeline via or by setting the System.Debug environment variable to get more verbose error logging? https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemdebug

[lildent]

I did click the enable system diagnostics. And it was no good.

The only half descent error we get. Is when you go into the solution history. Which tells us what the Error is. Ie. The user has not got access to the key vault..

Jonathan Dent

---

From: Mike! @.> Sent: Monday, May 1, 2023 6:48:22 PM To: microsoft/coe-starter-kit @.> Cc: lildent @.>; Mention @.> Subject: Re: [microsoft/coe-starter-kit] [ALM Accelerator - BUG]: Deployment of solution fails due to a 'user not being authorized to read secrets' (Issue #5348)

@lildenthttps://github.com/lildent thanks for the update. Still looking into this. Have you tried enabling sysstem diagnostics on the pipeline via or by setting the System.Debug environment variable to get more verbose error handling? https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemdebug

[image]https://user-images.githubusercontent.com/42348035/235499830-31cf0728-1956-4d22-9dfe-18297402bea3.png

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/coe-starter-kit/issues/5348#issuecomment-1530005470, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGACYLMGM4QCMCV3TD5RY7TXD7ZONANCNFSM6AAAAAAXGBKCN4. You are receiving this because you were mentioned.Message ID: @.***>

[RajeevPentyala]

@wiskaso Can you retry the deployment by providing 'Reader' role in 'Key Vault' to the 'Service Principal', which your pipeline's 'Service Connections' running under?

[lildent]

@RajeevPentyala

Thanks for the suggestion, I know I have hijacked this post, but it didn't resolve it.

Error code [8004801E] Exception message Import failed: User is not authorized to read secrets from '/subscriptions/xxxxxxxxxxx-xxxxxxx-affd-5f2a27931f8d/resourceGroups/ProjectDeliverySys/providers/Microsoft.KeyVault/vaults/SKEYVAULT' resource.

[wiskaso]

@wiskaso Can you retry the deployment by providing 'Reader' role in 'Key Vault' to the 'Service Principal', which your pipeline's 'Service Connections' running under?

Hey @RajeevPentyala, just FYI - I had already tried adding the ALM service principal to both the IAM roles with the contributor role as well as within the access policies with full permissions to do everything inside the key vault. Similar to @lildent, there was no change and did not resolve the issue.

[wiskaso]

@RajeevPentyala

I found something kind of interesting...

This change was made to the environment variables documentation fairly recently:

https://github.com/MicrosoftDocs/powerapps-docs/commit/34b7ca8832be26bf606f1eb93d53534a7fe45ece#diff-189a710fc1e998aaae4f23bce56b2eb213c6e35c05b8d66abe3b8a279bc348f2R161

This shows a change in the documentation that I just happened to review today. But this seems to me that new permissions are required for the Dataverse service principal which are different than before. I have yet to test out but I can safely say that this is something missing from my setup.

When I set this up sometime ago, the versions of the instructions I followed were these: https://github.com/MicrosoftDocs/powerapps-docs/blob/ceb38a0b2282601be2e6eca037ffc63b5ba3a57e/powerapps-docs/maker/data-platform/EnvironmentVariables.md#prerequisites

[RajeevPentyala]

@wiskaso I assumed that you considered the latest documentation, please reconfigure the 'Key Vault' as specified in the documentation, if not done already.

At a high level, Azure Key Vault must have the "Key Vault Secrets User" role granted to the "Dataverse service" principal. Also, the 'Service Principal' which the pipelines running under must have the 'Reader' role.

Please reach out if you face further issues.

[wiskaso]

@RajeevPentyala yes, I also thought I had as well when I opened this bug. These new instructions were added 5 days ago so it still must have been the old instructions when I originally opened this.

I will definitely try this tomorrow morning and will update you.

[lildent]

I can confirm that. I have set mine up to follow these rules. and still have the same issue.

Azure Key Vault must have the "Key Vault Secrets User" role granted to the "Dataverse service" principal. Also, the 'Service Principal' which the pipelines running under must have the 'Reader' role.

[RajeevPentyala]

@lildent Can you please confirm if you have these settings?

'Dataverse' Principal has "Key Vault Secrets User" role

'Dataverse' Principal has 'Get' permission on 'Secret Permissions'

Pipelines Service Principal must have 'Reader' access

If you can share the screens/error logs, please share the same to rajeevpe(at)microsoft(dot)com.

[lildent]

'Dataverse' Principal has "Key Vault Secrets User" role

'Dataverse' Principal has 'Get' permission on 'Secret Permissions'

Pipelines Service Principal must have 'Reader' access

Still no luck and same error

[RajeevPentyala]

@lildent Thanks for the details. Can you share the screenshot/log of exact error?. If you can't see detailed error in pipeline logs, you would get that from the failed import log in 'Solution' history tab in maker portal.

Also, if you can, please create a test flow as documented here . Make sure the Dataverse connector runs under 'Service Principal'. This step helps us in troubleshooting the privileges issue.

[lildent]

[lildent]

Also I can confirm the secrets are working in the flows. I had to manually import the solutions into production. and all working.

I most say 2 weeks ago the pipeline was working. we just went to release it last Tuesday. and the issue came up. Noone had changed anything in the pipeline or AD settings around the user accounts/permissions or KeyVault

[wiskaso]

@RajeevPentyala Access policy for Dataverse SP

Role assignment for Dataverse SP

Role assignment for ALM SP

Import error from maker portal:

Same results as before.

Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

[wiskaso]

@RajeevPentyala Do these RBAC roles I'm adding apply if the KV is in this access configuration mode?

[tylerjkruse]

I am experiencing the same error above with the configuration on the newest documentation. However, I'm able to import manually via maker portal without issue.

[MPSEM]

We are experiencing the same.

But i have an extended error log that may help you @RajeevPentyala:

2023-05-08T10:05:34.0475092Z ##[error]Exception type: System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault] Message: An unexpected error occurred.Detail:

b2eb24d3-1c4e-428a-84d2-610294b1701b -2147220970 ApiExceptionSourceKey Plugin/Microsoft.Dynamics.EnvironmentVariables.Plugins.UpdateVariableValue ApiOriginalExceptionKey Microsoft.Xrm.Sdk.InvalidPluginExecutionException: User is not authorized to read secrets from '(Removed)' resource. ---> Microsoft.Xrm.Sdk.InvalidPluginExecutionException: User is not authorized to read secrets from '(Removed)' resource. at Microsoft.Dynamics.EnvironmentVariables.Plugins.KeyVaultValidationUtil.ValidateKeyVaultSecretReference(IPluginExecutionContext context, IServiceProvider serviceProvider, String secretReference, ILogger logger) at Microsoft.Dynamics.EnvironmentVariables.Plugins.UpdateVariableValue.<>c__DisplayClass1_0.<Execute>b__0() at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute(ILogger logger, EventId eventId, ActivityType activityType, Action action, IEnumerable`1 additionalCustomProperties) at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute(ILogger logger, XrmTelemetryActivityType activityType, Action action) at Microsoft.Crm.Extensibility.V5PluginProxyStep.ExecuteInternal(PipelineExecutionContext context) at Microsoft.Crm.Extensibility.VersionedPluginProxyStepBase.Execute(PipelineExecutionContext context) --- End of inner exception stack trace --- at Microsoft.Crm.Extensibility.VersionedPluginProxyStepBase.Execute(PipelineExecutionContext context) at Microsoft.Crm.Extensibility.PipelineInstrumentationHelper.Execute(Boolean instrumentationEnabled, String stopwatchName, ExecuteWithInstrumentation action, PipelineExecutionContext context) at Microsoft.Crm.Extensibility.Pipeline.<>c__DisplayClass6_0.<RunStep>b__0() ApiStepKey ce844f4b-7474-420a-9d42-f30bfda82ddf ApiDepthKey 3 ApiActivityIdKey b2eb24d3-1c4e-428a-84d2-610294b1701b ApiPluginSolutionNameKey EnvironmentVariables ApiStepSolutionNameKey EnvironmentVariables ApiExceptionCategory ClientError ApiExceptionMessageName IsvAborted ApiExceptionHttpStatusCode 400 OperationStatus 0 SubErrorCode -2146233088 Plugin.PluginTrace [Microsoft.Dynamics.EnvironmentVariables.Plugins: Microsoft.Dynamics.EnvironmentVariables.Plugins.UpdateVariableValue] [ce844f4b-7474-420a-9d42-f30bfda82ddf: CreateVariableValue] [CreateVariableValue]: Microsoft.Xrm.Sdk.InvalidPluginExecutionException: User is not authorized to read secrets from '/subscriptions/9352dd81-0aea-4366-87ec-29af90f556cc/resourceGroups/rg-pa-prod-001/providers/Microsoft.KeyVault/vaults/PASecrets' resource. at Microsoft.Dynamics.EnvironmentVariables.Plugins.KeyVaultValidationUtil.ValidateKeyVaultSecretReference(IPluginExecutionContext context, IServiceProvider serviceProvider, String secretReference, ILogger logger) at Microsoft.Dynamics.EnvironmentVariables.Plugins.UpdateVariableValue.<>c__DisplayClass1_0.<Execute>b__0() HasRetried True RetryExecutionStatus Microsoft.Crm.Core.Extensions.Retry.RetryExecutionStatus

[RajeevPentyala]

I am experiencing the same error above with the configuration on the newest documentation. However, I'm able to import manually via maker portal without issue.

@tylerjkruse Is the 'Key Vault' created by 'User' is the same 'User' who imported the solution? The issue at hand is that there has been a failure to import data using the 'Application User'.

[RajeevPentyala]

@RajeevPentyala Access policy for Dataverse SP

Role assignment for Dataverse SP

Role assignment for ALM SP

Import error from maker portal:

Same results as before.

Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot.

FYI @MPSEM

[tylerjkruse]

I am experiencing the same error above with the configuration on the newest documentation. However, I'm able to import manually via maker portal without issue.

@tylerjkruse Is the 'Key Vault' created by 'User' is the same 'User' who imported the solution? The issue at hand is that there has been a failure to import data using the 'Application User'.

@RajeevPentyala Yes, I am the creator of the key vault and also the user who manually imported. I can test manually importing using a service account to see if there is a relationship between KV creator & solution importer. And yes, the issue with my pipeline is failing when app user tries to import even though it has all the proper configuration according to documentation above.

[wiskaso]

@RajeevPentyala Access policy for Dataverse SP Role assignment for Dataverse SP Role assignment for ALM SP Import error from maker portal: Same results as before. Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot.

FYI @MPSEM

Hi @RajeevPentyala

For the solution import do you want the plain vanilla pac solution import --path c:\Users\Documents\Solution.zip or do you want the same switches the pipeline uses?

Update: Hey @RajeevPentyala ,

I tried to the manual export and then a the pac solution import with no switches and it looks like it successfully updated.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_7_managed-manualexport.zip
Connected to... Digital-Automation-Validation
Connected as XX

Solution Importing...

Solution Imported successfully.
PS C:\dev\Work Items\troubleshooting>

That seemed to work.

[RajeevPentyala]

@RajeevPentyala Access policy for Dataverse SP Role assignment for Dataverse SP Role assignment for ALM SP Import error from maker portal: Same results as before. Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot. FYI @MPSEM

Hi @RajeevPentyala

For the solution import do you want the plain vanilla pac solution import --path c:\Users\Documents\Solution.zip or do you want the same switches the pipeline uses?

Update: Hey @RajeevPentyala ,

I tried to the manual export and then a the pac solution import with no switches and it looks like it successfully updated.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_7_managed-manualexport.zip
Connected to... Digital-Automation-Validation
Connected as XX

Solution Importing...

Solution Imported successfully.
PS C:\dev\Work Items\troubleshooting>

That seemed to work. @wiskaso Can you also confirm, you created the profile 'pac auth create' using the 'Service Principal' before the solution import?

[wiskaso]

@RajeevPentyala Access policy for Dataverse SP Role assignment for Dataverse SP Role assignment for ALM SP Import error from maker portal: Same results as before. Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot. FYI @MPSEM

Hi @RajeevPentyala For the solution import do you want the plain vanilla pac solution import --path c:\Users\Documents\Solution.zip or do you want the same switches the pipeline uses? Update: Hey @RajeevPentyala , I tried to the manual export and then a the pac solution import with no switches and it looks like it successfully updated.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_7_managed-manualexport.zip
Connected to... Digital-Automation-Validation
Connected as XX

Solution Importing...

Solution Imported successfully.
PS C:\dev\Work Items\troubleshooting>

That seemed to work. @wiskaso Can you also confirm, you created the profile 'pac auth create' using the 'Service Principal' before the solution import?

@RajeevPentyala Yes, confirmed. I setup a new authentication profile using pac auth create and provided my ALM service principal details prior to the solution import.

These are the commands I used:

PS C:\dev\Work Items\troubleshooting>pac auth create --name "ALM validation" --url https://{env}.crm3.dynamics.com/ --applicationId {client id} --clientSecret {secret} --tenant {tenant id}
PS C:\dev\Work Items\troubleshooting> pac auth list
Index Active Kind      Name                     Friendly Name Url                                       User                                 Cloud
...
[8]   *      DATAVERSE ALM validation                         https://{env}.crm3.dynamics.com/  {client id} Public

PS C:\dev\Work Items\troubleshooting>

[RajeevPentyala]

@RajeevPentyala Access policy for Dataverse SP Role assignment for Dataverse SP Role assignment for ALM SP Import error from maker portal: Same results as before. Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot. FYI @MPSEM

Hi @RajeevPentyala For the solution import do you want the plain vanilla pac solution import --path c:\Users\Documents\Solution.zip or do you want the same switches the pipeline uses? Update: Hey @RajeevPentyala , I tried to the manual export and then a the pac solution import with no switches and it looks like it successfully updated.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_7_managed-manualexport.zip
Connected to... Digital-Automation-Validation
Connected as XX

Solution Importing...

Solution Imported successfully.
PS C:\dev\Work Items\troubleshooting>

That seemed to work. @wiskaso Can you also confirm, you created the profile 'pac auth create' using the 'Service Principal' before the solution import?

@RajeevPentyala Yes, confirmed. I setup a new authentication profile using pac auth create and provided my ALM service principal details prior to the solution import.

These are the commands I used:

PS C:\dev\Work Items\troubleshooting>pac auth create --name "ALM validation" --url https://{env}.crm3.dynamics.com/ --applicationId {client id} --clientSecret {secret} --tenant {tenant id}
PS C:\dev\Work Items\troubleshooting> pac auth list
Index Active Kind      Name                     Friendly Name Url                                       User                                 Cloud
...
[8]   *      DATAVERSE ALM validation                         https://{env}.crm3.dynamics.com/  {client id} Public

PS C:\dev\Work Items\troubleshooting>

@wiskaso Thanks for the confirmation. Its a bit strange because ALM Accelerator also uses 'PAC CLI Solution Import' and you were not getting error from PAC but from ALM Accelerator. Hope your pipeline's service connection configured with the same service principal which you tried in PAC. Also, could you test 'pac solution import' again with the additional parameters? (Example : pac solution import --path {} --async true --import-as-holding false --force-overwrite true --publish-changes false --skip-dependency-check false --convert-to-managed false --max-async-wait-time 60 --activate-plugins true).

[wiskaso]

@RajeevPentyala Access policy for Dataverse SP Role assignment for Dataverse SP Role assignment for ALM SP Import error from maker portal: Same results as before. Also - I've tested the test flows you asked and can successfully retrieve keys in the flows directly.

@wiskaso Same combination worked for me. To narrow down the issue, can you please try below steps using pac cli?

• Create a profile for 'Service Principal', using 'pac auth' link.
• Manually export the solution from your Dev environment.
• Trigger the solution import to target by using 'pac solution import' documented here

These steps will provide additional logs which might help us to troubleshoot. FYI @MPSEM

Hi @RajeevPentyala For the solution import do you want the plain vanilla pac solution import --path c:\Users\Documents\Solution.zip or do you want the same switches the pipeline uses? Update: Hey @RajeevPentyala , I tried to the manual export and then a the pac solution import with no switches and it looks like it successfully updated.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_7_managed-manualexport.zip
Connected to... Digital-Automation-Validation
Connected as XX

Solution Importing...

Solution Imported successfully.
PS C:\dev\Work Items\troubleshooting>

That seemed to work. @wiskaso Can you also confirm, you created the profile 'pac auth create' using the 'Service Principal' before the solution import?

@RajeevPentyala Yes, confirmed. I setup a new authentication profile using pac auth create and provided my ALM service principal details prior to the solution import. These are the commands I used:

PS C:\dev\Work Items\troubleshooting>pac auth create --name "ALM validation" --url https://{env}.crm3.dynamics.com/ --applicationId {client id} --clientSecret {secret} --tenant {tenant id}
PS C:\dev\Work Items\troubleshooting> pac auth list
Index Active Kind      Name                     Friendly Name Url                                       User                                 Cloud
...
[8]   *      DATAVERSE ALM validation                         https://{env}.crm3.dynamics.com/  {client id} Public

PS C:\dev\Work Items\troubleshooting>

@wiskaso Thanks for the confirmation. Its a bit strange because ALM Accelerator also uses 'PAC CLI Solution Import' and you were not getting error from PAC but from ALM Accelerator. Hope your pipeline's service connection configured with the same service principal which you tried in PAC. Also, could you test 'pac solution import' again with the additional parameters? (Example : pac solution import --path {} --async true --import-as-holding false --force-overwrite true --publish-changes false --skip-dependency-check false --convert-to-managed false --max-async-wait-time 60 --activate-plugins true).

@RajeevPentyala

I will try this tomorrow morning. I’ll have to make a small change to my solution because when you had me do the vanilla import test it updated to the latest solution. And yeah, I agree it’s very strange that it would just fail suddenly. I was surprised the vanilla import even worked. It does seem like the issue is in the switches but I’ll try it tomorrow morning and report back.

Regarding my pipeline SP, it’s using the same ALM service principal that I used when I did the manual pac CLI test. It’s also the same SP I used when I tested initially when I opened up this bug report.

[wiskaso]

@RajeevPentyala

I did that re-import using all the flags using a manual export which was successful.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_8_managed-manualexport.zip --async true --import-as-holding false --force-overwrite true --publish-changes false --skip-dependency-check false --convert-to-managed false --max-async-wait-time 60 --activate-plugins true
Connected to... XXX
Connected as XX

Solution Importing...

Waiting for asynchronous operation f1c236fb-46f3-ed11-8849-0022483c51f4 to complete with timeout of 01:00:00

Processing asynchronous operation... execution time: 00:00:00 and 0.00% complete

Processing asynchronous operation... execution time: 00:00:04 and 0.13% complete

...

Processing asynchronous operation... execution time: 00:03:56 and 6.57% complete

Asynchronous operation f1c236fb-46f3-ed11-8849-0022483c51f4 completed successfully within 00:04:00.7803921

Solution Imported successfully. Import id: f1c236fb-46f3-ed11-8849-0022483c51f4

[rfarris2000]

I'm experiencing this issue as well. Is there any update to this?

[wiskaso]

@RajeevPentyala I was curious if there was any new updates to this issue?

[RajeevPentyala]

@RajeevPentyala I was curious if there was any new updates to this issue?

@wiskaso One parameter missed during your solution import using the 'pac solution import' was --settings-file. Could you retest by preparing a json file with following format and pass it to 'pac solution import'?

{ "EnvironmentVariables": [ { "SchemaName": "cat_secEnvironmentName", "Value": "{your-target-serect-value}" } ], "ConnectionReferences": [ ] }

[RajeevPentyala]

I'm experiencing this issue as well. Is there any update to this?

@rfarris2000 Hope you have referred the new documentation and configured as mentioned. To troubleshoot, please try importing the solution using 'pac solution import' as mentioned in the thread, this will give us more insights on the issue.

[rfarris2000]

We chose another route. We are using Azure Key Vault connector with a service principal instead.

[wiskaso]

@RajeevPentyala I was curious if there was any new updates to this issue?

@wiskaso One parameter missed during your solution import using the 'pac solution import' was --settings-file. Could you retest by preparing a json file with following format and pass it to 'pac solution import'?

{ "EnvironmentVariables": [ { "SchemaName": "cat_secEnvironmentName", "Value": "{your-target-serect-value}" } ], "ConnectionReferences": [ ] }

Hi Rajeev, I'll test it out tonight.

[wiskaso]

@RajeevPentyala Sorry I took so long to get back - it has been quite a busy last two weeks for me.

I was able to re-produce the error now that you had me add that settings file.

PS C:\dev\Work Items\troubleshooting> pac solution import --path .\DigitalEnablementCoreComponents_1_0_20220425_10_managed-manualexport.zip --async true --import-as-holding false --force-overwrite true --publish-changes false --skip-dependency-check false --convert-to-managed false --max-async-wait-time 60 --activate-plugins true --settings-file .\deploymentSettings-Test.json
Connected to... D...snip
Connected as 3c...snip

Solution Importing...

Waiting for asynchronous operation 74e33c75-010f-ee11-8f6e-0022483c51f4 to complete with timeout of 01:00:00

Processing asynchronous operation... execution time: 00:00:00 and 0.00% complete

Processing asynchronous operation... execution time: 00:00:04 and 0.12% complete

Processing asynchronous operation... execution time: 00:00:08 and 0.24% complete

Processing asynchronous operation... execution time: 00:00:13 and 0.37% complete

Processing asynchronous operation... execution time: 00:00:17 and 0.48% complete

Processing asynchronous operation... execution time: 00:00:21 and 0.60% complete

Asynchronous operation 74e33c75-010f-ee11-8f6e-0022483c51f4 failed within 00:00:25.9549973.

The reason given was: User is not authorized to read secrets from '/subscriptions/5...snip/resourceGroups/rg...snip/providers/Microsoft.KeyVault/vaults/k...snip/secrets/N...snip' resource.
Microsoft PowerPlatform CLI
Version: 1.22.2+g401780b

Error: The async operation completed with a statuscode of Failed.

Usage: pac solution import [--path] [--activate-plugins] [--force-overwrite] [--skip-dependency-check] [--import-as-holding] [--publish-changes] [--convert-to-managed] [--async] [--max-async-wait-time] [--settings-file]

  --path                      Path to solution zip file. If not specified, assumes the current folder is a cdsproj project. (alias: -p)
  --activate-plugins          Activate plug-ins and workflows on the solution (alias: -ap)
  --force-overwrite           Force an overwrite of unmanaged customizations (alias: -f)
  --skip-dependency-check     Skip dependency check against dependencies flagged as product update (alias: -s)
  --import-as-holding         Import the solution as a holding solution (alias: -h)
  --publish-changes           Publish your changes upon a successful import (alias: -pc)
  --convert-to-managed        Convert as Managed Solution (alias: -cm)
  --async                     Imports solution asynchronously (alias: -a)
  --max-async-wait-time       Max asynchronous wait time in minutes. Default value is 60 minutes (alias: -wt)
  --settings-file             The .json file with the deployment settings for connection references and environment variables.

PS C:\dev\Work Items\troubleshooting>

The contents of the file:

{
    "EnvironmentVariables": [
        {
            "SchemaName": "dsa_decc...snip",
            "Value": "/subscriptions/5...snip/resourceGroups/rg...snip/providers/Microsoft.KeyVault/vaults/k...snip/secrets/N...snip"
        }
    ],
    "ConnectionReferences": []
}

I tried two different secrets, one at a time to make sure and both times it failed.

[mikefactorial]

@wiskaso since we've been able to validate this isn't an ALM Accelerator issue and haven't been able to reproduce the specific issue there's not much more we can do to assist. You may want to report your findings on the Power Platform Build Tools repo https://github.com/microsoft/powerplatform-build-tools with specifics about the permissions you've configured and the behavior when using the pac commands. I know there's recent changes in the platform as far as key vault permissions related to the docs updates that may still be rolling out or have rolled out just recently. Will leave this issue open for now, but not sure how much more assistance we can provide at this point.

[lildent]

Mine magically started working a couple of weeks ago. Well until I embedded a power bi report to a model driven app. And now I have to deal with a new issue. Of the user not having the right permissions again …

Jonathan Dent

---

From: Mike! @.> Sent: Thursday, June 29, 2023 4:01:29 PM To: microsoft/coe-starter-kit @.> Cc: lildent @.>; Mention @.> Subject: Re: [microsoft/coe-starter-kit] [ALM Accelerator - BUG]: Deployment of solution fails due to a 'user not being authorized to read secrets' (Issue #5348)

@wiskasohttps://github.com/wiskaso since we've been able to validate this isn't an ALM Accelerator issue and haven't been able to reproduce the specific issue there's not much more we can do to assist. You may want to report your findings on the Power Platform Build Tools repo https://github.com/microsoft/powerplatform-build-tools with specifics about the permissions you've configured and the behavior when using the pac commands. I know there's recent changes in the platform as far as key vault permissions related to the docs updates that may still be rolling out or have rolled out just recently. Will leave this issue open for now, but not sure how much more assistance we can provide at this point.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/coe-starter-kit/issues/5348#issuecomment-1613339964, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGACYLMDQNXP34L6DD6O4T3XNWKETANCNFSM6AAAAAAXGBKCN4. You are receiving this because you were mentioned.Message ID: @.***>

[mikefactorial]

@lildent The change to the documentation was published ahead of the change in the platform which may explain why it "magically" started working if the update rolled out to your org.

[mikefactorial]

Closing this out as there's nothing more for the ALM Accelerator team to do here. If this continues to be an issue please raise a support ticket with Microsoft support.

[PatrickMichaelKriegler]

I appear to be having the same issue. Is there anyone here who had experienced the same problem able to point me to another issue or resolution if this isnt an issue related to ALM Accelerator?

We had an issue back in June when the documentation and access requirements were changed. We were able to resolve that by updating the key vault with the required roles. Since then we have had no issues until yesterday. Now import is failing due to "User is not authorized to read secrets from....". The same solution imported successfully just two weeks ago with the same Environment Variable Secret and Key vault secret so it is quite puzzling.