https://pulumi.com logo
#general
Title
# general
i

icy-dress-83371

05/08/2019, 2:59 PM
Anyone having issues setting up an aks cluster in azure? I manually created a service principal for pulumi to run as, it's got all the permissions i can find but i get this when i try to create a new SP with pulumi
Copy code
SP creating error: Plan apply failed: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-05-07T14:22:29","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"6df1d82f-17bb-48da-94d7-8dd03e6a39fa"}}]
c

creamy-potato-29402

05/08/2019, 5:31 PM
@icy-dress-83371 I believe this is a race in Azure. Let me dig up the bug.
You can work around by running
pulumi up
a second time though.
cc @narrow-area-11460 this is the bug I mentioned earlier
n

narrow-area-11460

05/08/2019, 5:36 PM
@icy-dress-83371 @creamy-potato-29402 I have been hitting this issue myself -- the error shows up differently for me
"Error: Code="ServicePrincipalNotFound" Message="Service principal clientID: 7cab766e-e8f7-481c-a2a2-f8ec4f642656 not found in Active Directory tenant 706143bc-e1d4-4593-aee2-c9dc60ab9be7"
basically it is a race condition where the Service Principal required by the AKS cluster is not being created on time by the AD and hence AKS cluster creation fails.
someone in TF issued a workaround (this is specific to role assignment but the underlying issue is the same): https://github.com/terraform-providers/terraform-provider-azurerm/pull/2204 however it does not work -- will reopen the issue and the issue on our side that was previously closed to track this https://github.com/pulumi/pulumi-azure/issues/103
i

icy-dress-83371

05/08/2019, 5:45 PM
This seems to be a different issue, my issue was that the service principal I created does not seem to have the permissions to create another service principal. @creamy-potato-29402 @narrow-area-11460
n

narrow-area-11460

05/08/2019, 5:47 PM
should be tied to the same race condition - mind sharing your
index.ts
file
will look into it and revert back
i

icy-dress-83371

05/08/2019, 5:53 PM
w

white-balloon-205

05/08/2019, 6:25 PM
I do not believe the issue @icy-dress-83371 is hitting is the same issue that @narrow-area-11460 and @creamy-potato-29402 are referring to.
Insufficient privileges to complete the operation.
This suggest that the service principal does not have some permission needed for AKS. I suspect it's related to https://github.com/Azure/AKS/issues/149#issuecomment-361445681?
2 Views