Is there someone who can help me setting up my pul...
# azure
c
Is there someone who can help me setting up my pulumi script with AzureCliScript ? the DeploymentScript is created but it keeps telling me that the Subscription ‘XXX’ is not recognized … which for some reason I think it has something to do with my “identity” property I set which is not good …. my code looks like this
Copy code
const subscriptionId = 'MY_SUBSCRIPTION_ID';

// create food resource group
const resourceGroup = new resources.ResourceGroup(`${env}-test`, {
    resourceGroupName: `${env}-test`, // physical name
});


// create sftp
const storageAccount = new storage.StorageAccount("sftp", {
    resourceGroupName: resourceGroup.name,
    sku: {
        name: storage.SkuName.Standard_LRS,
    },
    kind: storage.Kind.StorageV2,
    isHnsEnabled: true, // needed for sftp
    accessTier: storage.AccessTier.Hot
});

// get
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    resourceGroupName: resourceGroup.name,
    resourceName: `managed-identity`
})

const getId = (id: string) => {
    const dict: {[key: string]: object} = {};
    dict[id] = {};
    return dict;
}


// native azure does not support creation of sftp enabled storage account,
// therefore this needs to be created
const azureCliEnableSftp = new resources.AzureCliScript("enable-sftp-storage-account", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    identity: {
        type: resources.ManagedServiceIdentityType.UserAssigned,
        userAssignedIdentities: managedIdentity.id.apply(id => {
            <http://console.info|console.info>(getId(id));
            return getId(id);
        })
    },
    azCliVersion: "2.42.0",
    kind: "AzureCLI",
    retentionInterval: "P1D",
    scriptContent: pulumi.interpolate `az storage account update --subscription=${subscriptionId} --resource-group=${resourceGroup.name} --name=${storageAccount.name} --enable-sftp=true --enable-local-user=true`
    // scriptContent: pulumi.interpolate `pwd`
});
When execute my WebDesployment in azure returns the folloing output:
Copy code
Adding certificates not required Registering and setting the cloud Cloud is already registered Registering and setting the cloud completed WARNING: Subscription 'XXX' not recognized. ERROR: Subscription 'XXX' not found. Check the spelling and casing and try again.
That said, I also created a Service Principe with role “Director” which I use for pulumi itself which is registered in my “Active Directory/App Registrations” which I prefer to use for this … only problem is that I do not know how to assign this to my AzureCliScript
Or if someone knows a different approach I’m all ears
m
can you do it by hand vi the
az
cli in the terminal?
c
Yes on my local environment I can
So the script is valid
m
and
az account list -o table
gives the subscription id back
you are passing to the Pu program?
c
On my local machine yes, if I do this with the AzureCLI it doesnt work
this doesn’t make sense …. i’ve changed nothing and now it works …
m
check the permission
of the identity
IMH
managed-identity
is missing some Roles / Permissions
I gave my identiy Contributor on scope Resource
c
Ow wait i’ve added the the role assignment with role “Contributor” manually in the portal …
Can you provide me an example of how you did that using pulumi ?
m
yes!
Copy code
authorization.NewRoleAssignment(ctx, "script-image-role", &authorization.RoleAssignmentArgs{
			PrincipalId:      script.PrincipalId,
			PrincipalType:    pulumi.String("ServicePrincipal"),
			Scope:            resourceGroup.ID(),
			RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", config.Get(ctx, "subscription")),
		})
c
I guess I was missing that memo 😄
Thanks I will continue from here hehe
m
I swear I wrote it! 😄
c
Yes you did … my brain just missed it 😄
m
Hope you are unblocked now!
c
Yes hope so too … better go to bed and be fresh tomorrow 😂
Pulumi is consuming all my attention 😂
Copy code
/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
what’s the last guid in this string ?
I guess it’s the guid of the “Contributor” role … 🙂
m
yes
c
autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ with object id ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/86dd5127-019e-4f9a-a861-6ab01aefaaa4/resourceGroups/test-food/providers/Microsoft.Authorization/roleAssignments/b019acfc-ad5b-1d3b-f187-a307c2cda82c’ or the scope is invalid. If access was recently granted, please refresh your credentials.
😞
Copy code
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    resourceName: `${env}-managed-identity-food`,
    tags: {
        ...tags,
        domain: 'food'
    }
})

// role assignment
const roleAssignment = new authorization.RoleAssignment("roleAssignment", {
    principalId: managedIdentity.principalId,
    principalType: "ServicePrincipal",
    scope: resourceGroup.id,
    roleDefinitionId: pulumi.interpolate `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"`
}, {
    dependsOn: [managedIdentity]
});
m
ok, maybe the SP you have has not the rights to do this. You cant grant higher rights you don't have neither
Had this every time in Kubernetes with service account 😄
c
Running my pulumi runs under a SP with “Contribitor” role …
Are you saying that someone with “Contributor” role is not able to assign a new SP the same “Contributor” role ?
m
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC,
c
lol
Guess the documentation is saying that aswel 😄
m
You could give your user Owner 😄
c
Guess that’s the only option here … 🙂
w
@many-telephone-49025 I am having this same issue and its stumping me. When I run a command via the azure CLI az logged in as myself it works fine, but when I run it with pulumi it fails saying I dont have access. Why can I do it via the CLI but not with Pulumi?
In pulumi it fails when runs under the AzureCliScript method
m
The question is, can the identity use all Graph API calls.
You as maybe Owner of the subscription can call az account ...
but maybe not the identity. So worth to check what Role you may need to assign to the identity/service principal to access this parts of the Azure API
w
so Pulumi uses Graph API to call the command?
m
No, it uses the credentials you provided to deploy.
But AzureCLIScript runs on Azure in a container. And then it depends what the service principal is allowed to do
w
How would we see what service principal is being used?
because I am the authenticated user for the azure CLI so shouldn't it be using my permissions?
m
We should maybe schedule a call!
w
that would be amazing if thats something you are willing to do
id be very grateful hah, I think a lot of the problem I am having is just not familiar with how Pulumi works on the backend with Azure. It would probably make everything make sense.
m
my mail is engin (at) pulumi.com
w
@many-telephone-49025 what timezone are you located in?
m
Germany!
so CET
182 Views