Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error create containerapp job with user managed identity #6349

Closed
olandese opened this issue May 31, 2023 · 7 comments
Closed

Error create containerapp job with user managed identity #6349

olandese opened this issue May 31, 2023 · 7 comments
Assignees
@Greedygre
Labels
Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. ContainerApp customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.

Comments

@olandese
Copy link

Describe the bug

I am using the latest version of the containerapp extension 0.3.32

When I try to create a containerapp job (preview) with a managed identity I get errors. It seems the extension is splitting the resourceid of the managed identity in multiple strings.

I give the following paratemer switch (I tried different variations, error is always there):
--user-assigned '/subscriptions/XXXXXX/resourceGroups/rg-test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-mi-user'

Output with --debug:

image

Related command

az containerapp job create
--name "ghrunnersacajobstest"
--resource-group "rg-ghrunnersacajobs"
--environment "ghrunnersacajobs"
--trigger-type "Event"
--replica-timeout 604800
--replica-retry-limit 1
--image "aztfmod/rover-agent:1.2.9-2305.1807-github"
--cpu "2" --memory "4Gi"
--min-executions "0"
--parallelism 10
--max-executions "10"
--scale-rule-name "github-runner"
--scale-rule-type "github-runner"
--scale-rule-metadata "owner=devops-circle" "runnerScope=repo" "repos=gh-runners-aca-jobs"
--scale-rule-auth "personalAccessToken=pat-token-secret"
--secrets "pat-token-secret=THISISASECRET"
--env-vars "EPHEMERAL=true" "URL=https://github.com" "GH_TOKEN=secretref:pat-token-secret" "GH_OWNER=devops-circle" "GH_REPOSITORY=gh-runners-aca-jobs" "LABELS=test"
--user-assigned "/subscriptions/XXXXXXXXX/resourcegroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-ghrunnersacajobs"

Errors

Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e993Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[' is invalid."}}'.'.
az_command_data_logger: (FailedIdentityOperation) Identity operation for resource '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.App/jobs/ghrunnersacajobstest' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[' is invalid."}}'.'.

Issue script & Debug output

image

Expected behavior

A working container job with a user managed identity

Environment Summary

azure-cli 2.49.0

core 2.49.0
telemetry 1.0.8

Extensions:
containerapp 0.3.32

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Python location '/opt/az/bin/python3'
Extensions directory '/home/olandese/.azure/cliextensions'

Python (Linux) 3.10.10 (main, May 19 2023, 08:20:31) [GCC 11.3.0]

Additional context

Issue reported also here: Azure/azure-cli#26560
@olandese olandese added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label May 31, 2023
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels May 31, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented May 31, 2023

Thank you for opening this issue, we will look into it.

@ghost ghost added Auto-Assign Auto assign by bot ContainerApp CXP Attention This issue is handled by CXP team. labels May 31, 2023
@jsntcy jsntcy added the Service Attention This issue is responsible by Azure service team. label Jun 2, 2023
@ghost
Copy link

ghost commented Jun 2, 2023

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @calvinsID.

Issue Details

Describe the bug

I am using the latest version of the containerapp extension 0.3.32

When I try to create a containerapp job (preview) with a managed identity I get errors. It seems the extension is splitting the resourceid of the managed identity in multiple strings.

I give the following paratemer switch (I tried different variations, error is always there):
--user-assigned '/subscriptions/XXXXXX/resourceGroups/rg-test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-mi-user'

Output with --debug:

image

Related command

az containerapp job create
--name "ghrunnersacajobstest"
--resource-group "rg-ghrunnersacajobs"
--environment "ghrunnersacajobs"
--trigger-type "Event"
--replica-timeout 604800
--replica-retry-limit 1
--image "aztfmod/rover-agent:1.2.9-2305.1807-github"
--cpu "2" --memory "4Gi"
--min-executions "0"
--parallelism 10
--max-executions "10"
--scale-rule-name "github-runner"
--scale-rule-type "github-runner"
--scale-rule-metadata "owner=devops-circle" "runnerScope=repo" "repos=gh-runners-aca-jobs"
--scale-rule-auth "personalAccessToken=pat-token-secret"
--secrets "pat-token-secret=THISISASECRET"
--env-vars "EPHEMERAL=true" "URL=https://github.com" "GH_TOKEN=secretref:pat-token-secret" "GH_OWNER=devops-circle" "GH_REPOSITORY=gh-runners-aca-jobs" "LABELS=test"
--user-assigned "/subscriptions/XXXXXXXXX/resourcegroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-ghrunnersacajobs"

Errors

Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e993Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[' is invalid."}}'.'.
az_command_data_logger: (FailedIdentityOperation) Identity operation for resource '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.App/jobs/ghrunnersacajobstest' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource identifier '/subscriptions/ff1a0889-5f9e-44bc-908c-59e3e99361c3/resourceGroups/rg-ghrunnersacajobs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[' is invalid."}}'.'.

Issue script & Debug output

image

Expected behavior

A working container job with a user managed identity

Environment Summary

azure-cli 2.49.0

core 2.49.0
telemetry 1.0.8

Extensions:
containerapp 0.3.32

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Python location '/opt/az/bin/python3'
Extensions directory '/home/olandese/.azure/cliextensions'

Python (Linux) 3.10.10 (main, May 19 2023, 08:20:31) [GCC 11.3.0]

Additional context

Issue reported also here: Azure/azure-cli#26560

Author: olandese
Assignees: -
Labels:

bug, question, customer-reported, Service Attention, CXP Attention, Auto-Assign, ContainerApp
Milestone: -

@jsntcy
Copy link
Member

jsntcy commented Jun 2, 2023

@Greedygre could you please look at the issue?

@Greedygre
Copy link
Contributor

@anandanthony Hi, could you please look at this issue about containerapp job create ?

@Greedygre Greedygre mentioned this issue Jun 5, 2023
Merged
@olandese
Copy link
Author

olandese commented Jun 7, 2023

Seems to be working now, with version 0.3.33 :)
Using the --mi-user-assigned parameter

@olandese olandese closed this as completed Jun 7, 2023
@olandese
Copy link
Author

olandese commented Jun 8, 2023

@Greedygre @anandanthony I think the documentation should be updated with the new --mi-user-assigned parameter
https://learn.microsoft.com/en-us/cli/azure/containerapp/job?view=azure-cli-latest#az-containerapp-job-create

@olandese olandese reopened this Jun 8, 2023
@navba-MSFT
Copy link
Contributor

@olandese This seems to be fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Greedygre Greedygre

Labels
Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. ContainerApp customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@olandese @jsntcy @Greedygre @yonzhan @navba-MSFT