https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# azure
s
This message was deleted.
c
Or if someone knows a different approach I’m all ears
m
can you do it by hand vi the 
az
cli in the terminal?
c
Yes on my local environment I can
So the script is valid
m
and 
az account list -o table
gives the subscription id back
you are passing to the Pu program?
c
On my local machine yes, if I do this with the AzureCLI it doesnt work
this doesn’t make sense …. i’ve changed nothing and now it works …
👀 1
m
check the permission
of the identity
IMH 
managed-identity
is missing some Roles / Permissions
I gave my identiy Contributor on scope Resource
c
Ow wait i’ve added the the role assignment with role “Contributor” manually in the portal …
Can you provide me an example of how you did that using pulumi ?
m
yes!
Copy code
authorization.NewRoleAssignment(ctx, "script-image-role", &authorization.RoleAssignmentArgs{
			PrincipalId:      script.PrincipalId,
			PrincipalType:    pulumi.String("ServicePrincipal"),
			Scope:            resourceGroup.ID(),
			RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", config.Get(ctx, "subscription")),
		})
c
I guess I was missing that memo 😄
Thanks I will continue from here hehe
m
I swear I wrote it! 😄
c
Yes you did … my brain just missed it 😄
m
Hope you are unblocked now!
c
Yes hope so too … better go to bed and be fresh tomorrow 😂
Pulumi is consuming all my attention 😂
pulumipus flying at rest 1
😅 1
Copy code
/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
what’s the last guid in this string ?
I guess it’s the guid of the “Contributor” role … 🙂
👍 1
m
yes
c
autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ with object id ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/86dd5127-019e-4f9a-a861-6ab01aefaaa4/resourceGroups/test-food/providers/Microsoft.Authorization/roleAssignments/b019acfc-ad5b-1d3b-f187-a307c2cda82c’ or the scope is invalid. If access was recently granted, please refresh your credentials.
😞
Copy code
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    resourceName: `${env}-managed-identity-food`,
    tags: {
        ...tags,
        domain: 'food'
    }
})

// role assignment
const roleAssignment = new authorization.RoleAssignment("roleAssignment", {
    principalId: managedIdentity.principalId,
    principalType: "ServicePrincipal",
    scope: resourceGroup.id,
    roleDefinitionId: pulumi.interpolate `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"`
}, {
    dependsOn: [managedIdentity]
});
m
ok, maybe the SP you have has not the rights to do this. You cant grant higher rights you don't have neither
Had this every time in Kubernetes with service account 😄
c
Running my pulumi runs under a SP with “Contribitor” role …
Are you saying that someone with “Contributor” role is not able to assign a new SP the same “Contributor” role ?
m
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC,
c
lol
Guess the documentation is saying that aswel 😄
m
You could give your user Owner 😄
c
Guess that’s the only option here … 🙂
w
@many-telephone-49025 I am having this same issue and its stumping me. When I run a command via the azure CLI az logged in as myself it works fine, but when I run it with pulumi it fails saying I dont have access. Why can I do it via the CLI but not with Pulumi?
In pulumi it fails when runs under the AzureCliScript method
m
The question is, can the identity use all Graph API calls.
You as maybe Owner of the subscription can call az account ...
but maybe not the identity. So worth to check what Role you may need to assign to the identity/service principal to access this parts of the Azure API
w
so Pulumi uses Graph API to call the command?
m
No, it uses the credentials you provided to deploy.
But AzureCLIScript runs on Azure in a container. And then it depends what the service principal is allowed to do
w
How would we see what service principal is being used?
because I am the authenticated user for the azure CLI so shouldn't it be using my permissions?
m
We should maybe schedule a call!
w
that would be amazing if thats something you are willing to do
id be very grateful hah, I think a lot of the problem I am having is just not familiar with how Pulumi works on the backend with Azure. It would probably make everything make sense.
m
my mail is engin (at) pulumi.com
w
@many-telephone-49025 what timezone are you located in?
m
Germany!
so CET
268 Views
Open in Slack
PreviousNext
Powered by