Kmougari
commented
1 year ago Please note that this has been tested with Azure native provider V2.X.X and we still have the same problem
Open Kmougari opened 1 year ago
Kmougari
commented
1 year ago Please note that this has been tested with Azure native provider V2.X.X and we still have the same problem
thomas11
commented
1 year ago Hi @Kmougari! Can you share more about how authentication is configured in both providers? Note that Azure Native will not re-use the configuration of Azure Classic, except certain environment variables. You have to set any azure:... configuration again as azure-native:....
Kmougari
commented
1 year ago Find below configuration $ pulumi config KEY VALUE
azure:location FranceCentral azure:subscriptionId XXXX azure:tenantId XXX azure-native:location FranceCentral azure-native:subscriptionId XXXXX azure-native:tenantId XXXXX
I cannot shared ids but the subscriptionId are the same with azure classic as azure native
Kmougari
commented
1 year ago for your information @thomas11
Kmougari
commented
1 year ago Any feedback on this @thomas11 ?
Kmougari
commented
1 year ago Can we have an update on this please ? @thomas11
Kmougari
commented
1 year ago No update on this ?
thomas11
commented
10 months ago Hi @Kmougari, apologies that we dropped this issue. Is it still relevant to you? If so, I'd need to know more about how you authenticate. The tenantId configuration you shared is part of it but not sufficient. Which of the methods described here are you trying to use?
Kmougari
commented
9 months ago Hi @thomas11 Yes it is still relevant. We are authenticating using an SP
thomas11
commented
9 months ago Thanks @Kmougari. Some more questions:
Scope of the role?It would be much easier to diagnose the problem if you could share a complete Pulumi program that shows the issue.
smainil
commented
4 days ago @thomas11 Sorry for the late response. I am taking up this topic for our team instead of @Kmougari
Here is a code example to reproduce the issue
new authorization.RoleDefinition(
'rd-custom-role',
{
roleDefinitionId: '78adfc5f-848b-40ae-9ee9-d00c49d8dd83',
roleName: 'Custom Role on MG',
assignableScopes: ['/providers/Microsoft.Management/managementGroups/mg-xxx'],
permissions: [
{
actions: ['*/read'],
notActions: [],
},
],
scope: '/providers/Microsoft.Management/managementGroups/mg-xxx'
}
)After the pulumi up, the custom role is well created
here is the stack export of that resource
{
"urn": "urn:pulumi:dev::cpa-2960-smi::azure-native:authorization:RoleDefinition::rd-custom-role",
"custom": true,
"id": "/providers/Microsoft.Authorization/roleDefinitions/78adfc5f-848b-40ae-9ee9-d00c49d8dd83",
"type": "azure-native:authorization:RoleDefinition",
"inputs": {
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/mg-xxx"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": []
}
],
"roleDefinitionId": "78adfc5f-848b-40ae-9ee9-d00c49d8dd83",
"roleName": "Custom Role on MG",
"scope": "/providers/Microsoft.Management/managementGroups/mg-xxxx"
},
"outputs": {
"__inputs": {
"4dabf18193072939515e22adb298388d": "xxxxx",
"ciphertext": "xxxx=="
},
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/mg-xxx"
],
"createdBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdOn": "2024-11-19T07:27:21.9519058Z",
"id": "/providers/Microsoft.Authorization/roleDefinitions/78adfc5f-848b-40ae-9ee9-d00c49d8dd83",
"name": "78adfc5f-848b-40ae-9ee9-d00c49d8dd83",
"permissions": [
{
"actions": [
"*/read"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Custom Role on MG",
"type": "Microsoft.Authorization/roleDefinitions",
"updatedBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"updatedOn": "2024-11-19T07:27:21.9519058Z"
}But when I try to delete the custom role (pulumi destroy or removing the role definition from my code), I received the error message already provided by Kamel
Updating (dev)
View in Browser (Ctrl+O): https://app.pulumi.com/xxx/cpa-2960-smi/dev/updates/20
Type Name Status Info
pulumi:pulumi:Stack cpa-2960-smi-dev **failed** 1 error
- └─ azure-native:authorization:RoleDefinition rd-custom-role **deleting failed** 1 error
Diagnostics:
pulumi:pulumi:Stack (cpa-2960-smi-dev):
error: update failed
azure-native:authorization:RoleDefinition (rd-custom-role):
error: DELETE https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/78adfc5f-848b-40ae-9ee9-d00c49d8dd83
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'yyyyyyy' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/providers/Microsoft.Authorization/roleDefinitions/78adfc5f-848b-40ae-9ee9-d00c49d8dd83' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
--------------------------------------------------------------------------------I ran the pulumi actions using my account that has "User Access Administrator" on the management group targeted by the scope but the same problem is encountered if we run the pulumi actions using a service principal)
λ pulumi about
CLI
Version 3.134.1
Go Version go1.23.1
Go Compiler gc
Plugins
KIND NAME VERSION
resource azure 6.9.0
resource azure-native 2.72.0
language nodejs unknown
resource random 4.16.7
Host
OS darwin
Version 14.6.1
Arch x86_64
What happened?
When trying to delete an azure custom role using azure native provider the role is not delete and we have the following error.
pulumi:pulumi:Stack foundations-sandbox failed 1 error; 1 message
Diagnostics: azure-native:authorization:RoleDefinition (rd-temp-role-for-testing-contributor): error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXXXXXX with object id 'XXXXXXXXX does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/providers/Microsoft.Authorization/roleDefinitions/XXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials."
We have tested with azure classic provider and it is working.
Please note that the role custom is set a management group level scope= and the provider is configured to authentify to a one of the subscription. We have tested authentification directly on the tenant level and it is failing
Expected Behavior
Should be able to remove role with azure native
Steps to reproduce
Create a custom role at management group level and try to delete with pulumi azure native provider
Output of
pulumi aboutAdditional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).