Is there someone who can help me setting up my pulumi script with AzureCliScript ? the DeploymentScript is created but it keeps telling me that the Subscription ‘XXX’ is not recognized … which for some reason I think it has something to do with my “identity” property I set which is not good …. my code looks like this

const subscriptionId = 'MY_SUBSCRIPTION_ID';

// create food resource group
const resourceGroup = new resources.ResourceGroup(`${env}-test`, {
    resourceGroupName: `${env}-test`, // physical name
});


// create sftp
const storageAccount = new storage.StorageAccount("sftp", {
    resourceGroupName: resourceGroup.name,
    sku: {
        name: storage.SkuName.Standard_LRS,
    },
    kind: storage.Kind.StorageV2,
    isHnsEnabled: true, // needed for sftp
    accessTier: storage.AccessTier.Hot
});

// get
const managedIdentity = new UserAssignedIdentity("managed-identity", {
    resourceGroupName: resourceGroup.name,
    resourceName: `managed-identity`
})

const getId = (id: string) => {
    const dict: {[key: string]: object} = {};
    dict[id] = {};
    return dict;
}


// native azure does not support creation of sftp enabled storage account,
// therefore this needs to be created
const azureCliEnableSftp = new resources.AzureCliScript("enable-sftp-storage-account", {
    location: resourceGroup.location,
    resourceGroupName: resourceGroup.name,
    identity: {
        type: resources.ManagedServiceIdentityType.UserAssigned,
        userAssignedIdentities: managedIdentity.id.apply(id => {
            <http://console.info|console.info>(getId(id));
            return getId(id);
        })
    },
    azCliVersion: "2.42.0",
    kind: "AzureCLI",
    retentionInterval: "P1D",
    scriptContent: pulumi.interpolate `az storage account update --subscription=${subscriptionId} --resource-group=${resourceGroup.name} --name=${storageAccount.name} --enable-sftp=true --enable-local-user=true`
    // scriptContent: pulumi.interpolate `pwd`
});

When execute my WebDesployment in azure returns the folloing output:

Adding certificates not required Registering and setting the cloud Cloud is already registered Registering and setting the cloud completed WARNING: Subscription 'XXX' not recognized. ERROR: Subscription 'XXX' not found. Check the spelling and casing and try again.

That said, I also created a Service Principe with role “Director” which I use for pulumi itself which is registered in my “Active Directory/App Registrations” which I prefer to use for this … only problem is that I do not know how to assign this to my AzureCliScript

can you do it by hand vi the

az

cli in the terminal?

Yes on my local environment I can

and

az account list -o table

gives the subscription id back

On my local machine yes, if I do this with the AzureCLI it doesnt work

check the permission

Ow wait i’ve added the the role assignment with role “Contributor” manually in the portal …

yes!

authorization.NewRoleAssignment(ctx, "script-image-role", &authorization.RoleAssignmentArgs{
			PrincipalId:      script.PrincipalId,
			PrincipalType:    pulumi.String("ServicePrincipal"),
			Scope:            resourceGroup.ID(),
			RoleDefinitionId: pulumi.Sprintf("/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", config.Get(ctx, "subscription")),
		})

I guess I was missing that memo 😄

I swear I wrote it! 😄

Yes you did … my brain just missed it 😄

Hope you are unblocked now!

Yes hope so too … better go to bed and be fresh tomorrow 😂

yes

autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ with object id ‘48a5fa47-506d-41a4-b4d4-b13322fb86bc’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/86dd5127-019e-4f9a-a861-6ab01aefaaa4/resourceGroups/test-food/providers/Microsoft.Authorization/roleAssignments/b019acfc-ad5b-1d3b-f187-a307c2cda82c’ or the scope is invalid. If access was recently granted, please refresh your credentials.

ok, maybe the SP you have has not the rights to do this. You cant grant higher rights you don't have neither

Running my pulumi runs under a SP with “Contribitor” role …

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC,

lol

You could give your user Owner 😄

Guess that’s the only option here … 🙂

@many-telephone-49025 I am having this same issue and its stumping me. When I run a command via the azure CLI az logged in as myself it works fine, but when I run it with pulumi it fails saying I dont have access. Why can I do it via the CLI but not with Pulumi?

The question is, can the identity use all Graph API calls.

so Pulumi uses Graph API to call the command?

No, it uses the credentials you provided to deploy.

How would we see what service principal is being used?

We should maybe schedule a call!

that would be amazing if thats something you are willing to do

my mail is engin (at) pulumi.com

@many-telephone-49025 what timezone are you located in?

Germany!