search

microsoft / service-fabric-issues

This repo is for the reporting of issues found with Azure Service Fabric.
168 stars 21 forks source link

Unable to create a cluster from Visual Studio 2019 #1596

Closed rlevchenko closed 4 years ago

rlevchenko commented 4 years ago

Expected Behavior

Visual Studio creates a cluster without any issues

Current Behavior

I'm constantly receiving the following error during the cluster creation using the latest Visual Studio 2019. On the other side, I can successfully create the cluster in the Azure manually, and then publish my app to the cluster. So, issue is probably related to scripts responsible for Service Fabric management in Visual Studio

Creating Service Fabric cluster 'rlsfc01'... Creating resource group. Configuring key vault. Waiting for key vault DNS record resolution... 'Creating certificate 'rlsfc0120xxxxxx'.' failed. Detail: Forbidden : {"error":{"code":"Forbidden","message":"Access denied. Caller was not found on any access policy.\r\nCaller: appid=872cd9fa-d31f-45e0-9eab-6e460a02d1f1;oid=3d515bc2-35a9-4451-b0f3-8596147af15c;numgroups=1;iss=https://sts.windows.net/d373cb19-d4db-4f95-aedf-363199c531aa/\r\nVault: rlsfc0120xxxxxx;location=westeurope","innererror":{"code":"AccessDenied"}}}. System.Net.Http.HttpRequestException: Access denied. Caller was not found on any access policy. Caller: appid=872cd9fa-d31f-45e0-9eab-6e460a02d1f1;oid=3d515bc2-35a9-4451-b0f3-8596147af15c;numgroups=1;iss=https://sts.windows.net/d373cb19-d4db-4f95-aedf-363199c531aa/ Vault: rlsfc01201xxxxxxx;location=westeurope at Microsoft.VisualStudio.Azure.Fabric.Shared.ServiceManagement.ServiceManagementClient.<UpdateAsync>d__13.MoveNext() --- End of stack trace from previous location where exception was thrown ---

Steps to Reproduce

  1. Launch Visual Studio 2019
  2. Load the project
  3. Try to publish the service
  4. Select the "Create new cluster"
  5. Define your cluster settings
  6. Click on "Create..."
  7. Check out the Service Fabric Cluster Creation output

Context (Environment)

Visual Studio :

Version 16.3.7 NET Framework 4.8.03752 Azure Service Fabric Tools for Visual Studio 16.0 Microsoft Azure Tools 2.9

Azure Role (RBAC):

Azure Subscription Owner

Operating System :

Windows 10 1903 (up-to-date)

ravipal commented 4 years ago

I tried it on my subscription and it works fine. Looks like some permission issue.

The create cluster creates a key value with all access enabled for the current user. Then creates the certificate on this key value. In your case, the key vault rejected the certificate creation request because the user didn't have access to create the certificate. Using portal, can you please check the "Access Policies" for certificate?

  1. Select the key vault 'rlsfc0120xxxxx'
  2. Select 'Access Policies' from left side blade.
  3. Select the drop down 'Certificate Permissions' and you should see something like below. image
ravipal commented 4 years ago

Please ignore my previous comment. I am able to reproduce the issue with another account. Will update this thread once I have more information.

rlevchenko commented 4 years ago

Any updates?

ravipal commented 4 years ago

@rlevchenko, It is a bug/regression in recent build with non-work or non-school account. The access policy configuration of key vault didn't grand access to the current user, hence this error. I am working on a fix and it should be available in 16.5 Preview 2, expected to release in January. As a workaround, please use azure portal to create the cluster.

mimckitt commented 4 years ago

@ravipal I added a note to this doc

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-deploy-app-to-party-cluster

We had some users encounter this issue. Let us know once a fix is deployed and I will also update the tutorial

ravipal commented 4 years ago

The fix is in 16.5 Preview.