https://pulumi.com logo
Title
c

cold-motherboard-88215

12/06/2022, 6:18 PM
Is there someone who can help me setting up my pulumi script with AzureCliScript ? the DeploymentScript is created but it keeps telling me that the Subscription ‘XXX’ is not recognized … which for some reason I think it has something to do with my “identity” property I set which is not good …. my code looks like this
const subscriptionId = 'MY_SUBSCRIPTION_ID';

// create food resource group
const resourceGroup = new resources.ResourceGroup(`${env}-test`, {
    resourceGroupName: `${env}-test`, // physical name
});


// create sftp
const storageAccount = new storage.StorageAccount("sftp", {
    resourceGroupName: resourceGroup.name,
    sku: {
        name: storage.SkuName.Standard_LRS,
    },
    kind: storage.Kind.StorageV2,
    isHnsEnabled: true, // needed for sftp
    accessTier: storage.AccessTier.Hot
});

// get
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    resourceGroupName: resourceGroup.name,
    resourceName: `managed-identity`
})

const getId = (id: string) => {
    const dict: {[key: string]: object} = {};
    dict[id] = {};
    return dict;
}


// native azure does not support creation of sftp enabled storage account,
// therefore this needs to be created
const azureCliEnableSftp = new resources.AzureCliScript("enable-sftp-storage-account", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    identity: {
        type: resources.ManagedServiceIdentityType.UserAssigned,
        userAssignedIdentities: managedIdentity.id.apply(id => {
            <http://console.info|console.info>(getId(id));
            return getId(id);
        })
    },
    azCliVersion: "2.42.0",
    kind: "AzureCLI",
    retentionInterval: "P1D",
    scriptContent: pulumi.interpolate `az storage account update --subscription=${subscriptionId} --resource-group=${resourceGroup.name} --name=${storageAccount.name} --enable-sftp=true --enable-local-user=true`
    // scriptContent: pulumi.interpolate `pwd`
});
When execute my WebDesployment in azure returns the folloing output:
Adding certificates not required Registering and setting the cloud Cloud is already registered Registering and setting the cloud completed WARNING: Subscription 'XXX' not recognized. ERROR: Subscription 'XXX' not found. Check the spelling and casing and try again.
That said, I also created a Service Principe with role “Director” which I use for pulumi itself which is registered in my “Active Directory/App Registrations” which I prefer to use for this … only problem is that I do not know how to assign this to my AzureCliScript
Or if someone knows a different approach I’m all ears
m

many-telephone-49025

12/06/2022, 7:09 PM
can you do it by hand vi the
az
cli in the terminal?
c

cold-motherboard-88215

12/06/2022, 7:09 PM
Yes on my local environment I can
So the script is valid
m

many-telephone-49025

12/06/2022, 7:10 PM
and
az account list -o table
gives the subscription id back
you are passing to the Pu program?
c

cold-motherboard-88215

12/06/2022, 7:10 PM
On my local machine yes, if I do this with the AzureCLI it doesnt work
this doesn’t make sense …. i’ve changed nothing and now it works …
m

many-telephone-49025

12/06/2022, 7:12 PM
check the permission
of the identity
IMH
managed-identity
is missing some Roles / Permissions
I gave my identiy Contributor on scope Resource
c

cold-motherboard-88215

12/06/2022, 7:14 PM
Ow wait i’ve added the the role assignment with role “Contributor” manually in the portal …
Can you provide me an example of how you did that using pulumi ?
m

many-telephone-49025

12/06/2022, 7:15 PM
yes!
authorization.NewRoleAssignment(ctx, "script-image-role", &authorization.RoleAssignmentArgs{
			PrincipalId:      script.PrincipalId,
			PrincipalType:    pulumi.String("ServicePrincipal"),
			Scope:            resourceGroup.ID(),
			RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", config.Get(ctx, "subscription")),
		})
c

cold-motherboard-88215

12/06/2022, 7:15 PM
I guess I was missing that memo 😄
Thanks I will continue from here hehe
m

many-telephone-49025

12/06/2022, 7:16 PM
I swear I wrote it! 😄
c

cold-motherboard-88215

12/06/2022, 7:16 PM
Yes you did … my brain just missed it 😄
m

many-telephone-49025

12/06/2022, 7:16 PM
Hope you are unblocked now!
c

cold-motherboard-88215

12/06/2022, 7:21 PM
Yes hope so too … better go to bed and be fresh tomorrow 😂
Pulumi is consuming all my attention 😂
/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
what’s the last guid in this string ?
I guess it’s the guid of the “Contributor” role … 🙂
m

many-telephone-49025

12/06/2022, 8:06 PM
yes
c

cold-motherboard-88215

12/06/2022, 8:07 PM
autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ with object id ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/86dd5127-019e-4f9a-a861-6ab01aefaaa4/resourceGroups/test-food/providers/Microsoft.Authorization/roleAssignments/b019acfc-ad5b-1d3b-f187-a307c2cda82c’ or the scope is invalid. If access was recently granted, please refresh your credentials.
😞
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    resourceName: `${env}-managed-identity-food`,
    tags: {
        ...tags,
        domain: 'food'
    }
})

// role assignment
const roleAssignment = new authorization.RoleAssignment("roleAssignment", {
    principalId: managedIdentity.principalId,
    principalType: "ServicePrincipal",
    scope: resourceGroup.id,
    roleDefinitionId: pulumi.interpolate `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"`
}, {
    dependsOn: [managedIdentity]
});
m

many-telephone-49025

12/06/2022, 8:08 PM
ok, maybe the SP you have has not the rights to do this. You cant grant higher rights you don't have neither
Had this every time in Kubernetes with service account 😄
c

cold-motherboard-88215

12/06/2022, 8:10 PM
Running my pulumi runs under a SP with “Contribitor” role …
Are you saying that someone with “Contributor” role is not able to assign a new SP the same “Contributor” role ?
m

many-telephone-49025

12/06/2022, 8:11 PM
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC,
c

cold-motherboard-88215

12/06/2022, 8:12 PM
lol
Guess the documentation is saying that aswel 😄
m

many-telephone-49025

12/06/2022, 8:13 PM
You could give your user Owner 😄
c

cold-motherboard-88215

12/06/2022, 8:13 PM
Guess that’s the only option here … 🙂
w

white-architect-1595

01/11/2023, 5:45 PM
@many-telephone-49025 I am having this same issue and its stumping me. When I run a command via the azure CLI az logged in as myself it works fine, but when I run it with pulumi it fails saying I dont have access. Why can I do it via the CLI but not with Pulumi?
In pulumi it fails when runs under the AzureCliScript method
m

many-telephone-49025

01/11/2023, 5:53 PM
The question is, can the identity use all Graph API calls.
You as maybe Owner of the subscription can call az account ...
but maybe not the identity. So worth to check what Role you may need to assign to the identity/service principal to access this parts of the Azure API
w

white-architect-1595

01/11/2023, 6:32 PM
so Pulumi uses Graph API to call the command?
m

many-telephone-49025

01/11/2023, 7:16 PM
No, it uses the credentials you provided to deploy.
But AzureCLIScript runs on Azure in a container. And then it depends what the service principal is allowed to do
w

white-architect-1595

01/11/2023, 8:29 PM
How would we see what service principal is being used?
because I am the authenticated user for the azure CLI so shouldn't it be using my permissions?
m

many-telephone-49025

01/11/2023, 9:07 PM
We should maybe schedule a call!
w

white-architect-1595

01/11/2023, 11:05 PM
that would be amazing if thats something you are willing to do
id be very grateful hah, I think a lot of the problem I am having is just not familiar with how Pulumi works on the backend with Azure. It would probably make everything make sense.
m

many-telephone-49025

01/12/2023, 2:24 PM
my mail is engin (at) pulumi.com
w

white-architect-1595

01/12/2023, 6:45 PM
@many-telephone-49025 what timezone are you located in?
m

many-telephone-49025

01/12/2023, 6:45 PM
Germany!
so CET