0

I am using devops pipeline to update a containerApp. The devops pipeline uses a self hosted agent pool which uses a VMSS agent. in the pipeline cli task i create a system assigned managed identity for the containerApp using az cli commands and in the next step i try to assign a registry ACR Pull role to the containerApp on a private ACR using the command below

az role assignment create \
          --assignee-object-id $PRINCIPALID \
          --assignee-principal-type ServicePrincipal \  
          --role AcrPull \
          --scope /subscriptions/$(SUBSCRIPTION)/resourceGroups/$(RG_NAME)/providers/Microsoft.ContainerRegistry/registries/$(acrContainerName)

getting this error in devops console:

(AuthorizationFailed) The client '3447a78f-2d20-4a27-abcd-4050272e5946' with object id '3447a78f-2d20-4a27-abcd-4050272e5946' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/12d3e9402-cddbf-4272-83b5-c479199032d6/resourceGroups/my-infra-rg/providers/Microsoft.ContainerRegistry/registries/abccacrxqkglrt4qana4/providers/Microsoft.Authorization/roleAssignments/7722b8ef0-9418-4093-z230-152e422cc29d' or the scope is invalid

I am able to do the task through my local command line and also i have user access administrator permission on the subscription. The yaml file task is as follows:

 - task: AzureCLI@2
      inputs:
        azureSubscription: $(armDeploymentServiceConnection)
        scriptType: 'bash'
        scriptLocation: 'inlineScript'

The azureSubscription contains the ARM serviceconnection i created in devops for connecting to ARM

If i search for the client id shown in the devops console error, in the azure portal, it does not exist is the result Can anyone help here? Thanks

Coder
  • 39
  • 6
  • Does the identity defined in `armDeploymentServiceConnection` have the appropriate permissions? – Daniel Mann Jul 19 '23 at 16:38
  • @Daniel Mann that is a service principal defined there, i am not able to find the service principal with the clientId in azure portal so unable to check for the permissions but the other command az containerapp identity assign succeed – Coder Jul 19 '23 at 16:59

1 Answers1

2

The error usually occurs if the service principal does not have required roles or permissions to perform the action. I believe that you are searching ID in App registrations instead of Enterprise applications.

To find that service principal in Azure Portal, copy the clientID from error message and search it in Enterprise applications.

Go to Azure Portal -> Azure Active Directory -> Enterprise applications -> Set Filter to All Applications -> Paste copied ID in search bar:

enter image description here

In your case, you need to assign User Access Administrator role to the service principal under required scope(subscription or resource group).

Note that, you can only search Name to find the service principal for assigning role.

enter image description here

If you have multiple service principals for 1 display name, you can either rename that service principal by modifying properties or verify ID while assigning role.

Renaming service principal from Properties:

enter image description here

Verifying ID while assigning role:

enter image description here

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Thank you for your detailed steps. As there are multiple service connections created in devops for docker and arm and they have the same name in portal, how can i know which service principal to give permission to in the portal, before getting this error which gives the object id? – Coder Jul 20 '23 at 07:26
  • 1
    When you click on [Manage service principal](https://i.imgur.com/dfLUdKF.png) from Azure DevOps, it opens application in **App registrations** page of Portal. To get objectID, click on **Managed application** link [here](https://i.imgur.com/e4vMdVh.png). This opens `Enterprise application` page where you can find objectID like [this](https://i.imgur.com/EimudaH.png). – Sridevi Jul 20 '23 at 07:41