Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manual image generation tries to create Service Principal #10071

Closed
2 of 14 tasks
donk-msft opened this issue Jun 14, 2024 · 3 comments
Closed
2 of 14 tasks

Manual image generation tries to create Service Principal #10071

donk-msft opened this issue Jun 14, 2024 · 3 comments
Assignees
@Prabhatkumar59
Labels
bug report OS: Ubuntu

Comments

@donk-msft
Copy link

Description

Documentation states:

The GenerateResourcesAndImage function is able to create a Service Principal to be used by Packer. It uses the Connect-AzAccount cmdlet that invokes an interactive authentication process by default. If you don't want to use interactive authentication, you should create a Service Principal with full read-write permissions for the selected Azure subscription on your own and provide proper values for the parameters AzureClientId, AzureClientSecret and AzureTenantId.

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 11
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

Ubuntu 22.04

Is it regression?

No

Expected behavior

When running the 'GenerateResourcesAndImage' command with the -AzureTenantId parameter I expect to be authenticated against this tenant only and that packer uses interactive authentication instead of a Service principal.

Actual behavior

When running the 'GenerateResourcesAndImage' command with the -AzureTenantId parameter the script still tries retrieves all tenants and subscriptions for selection. I select the correct subscription. It then reports the tenant and subscription and shows a warning '[Warning] The login output has been updated. Please be aware that it no longer displays the full list of available subscriptions by default.'

Eventhough I'm logged in interactively, the script then proceeds to create a service principal for packer... (for which I don't have permissions and I don't want to happen).

Repro steps

On your local machine, follow the documented steps (clone git, import module) and run the 'GenerateResourcesAndImage' command.
@Prabhatkumar59
Copy link

@donk-msft We are looking into the issue, we will get back to you after investigating this issue, Thanks.

@Prabhatkumar59
Copy link

@donk-msft ,Here are the some steps you can take to resolve or mitigate the issue:-

  1. Before running the GenerateResourcesAndImage command, ensure you are logged into Azure CLI or Azure PowerShell with the correct tenant and subscription context.
  • Use az login for Azure CLI or Connect-AzAccount for Azure PowerShell to ensure you are authenticated and using the correct tenant.
  • Verify your current context using az account show (Azure CLI) or Get-AzContext (Azure PowerShell).
  1. If the script still behaves unexpectedly after logging in, explicitly set the context within the script using the -TenantId and -SubscriptionId parameters.
  • Example for Azure CLI: az account set --subscription <subscription_id>
  • Example for Azure PowerShell: Set-AzContext -SubscriptionId <subscription_id>

  1. Double-check the script documentation or source code to ensure you are using the correct parameters (-AzureTenantId, -SubscriptionId, etc.) and that they are being passed correctly.

  2. Add debug statements or error handling within the script to capture and output the current context (az account show, Get-AzContext) to diagnose where the issue might be occurring.

  3. Let's say for example:-
    Assuming you are using Azure CLI and want to ensure the correct context is used before running GenerateResourcesAndImage, you could script it as follows:-

Log in interactively and set the correct tenant context

az login
az account set --subscription <subscription_id>

Verify current context (optional)

az account show

Run the script with AzureTenantId parameter

GenerateResourcesAndImage -AzureTenantId <tenant_id> ...

So in above script, you can try to replace <subscription_id> and <tenant_id> with your actual subscription and tenant IDs. This approach ensures that both the correct subscription and tenant contexts are set before executing the
script.

  1. So hopefully, by following these steps, you should be able to mitigate the issue and ensure that the GenerateResourcesAndImage command operates within the expected Azure tenant and subscription context.

Also Kindly follow the below link step by step for better understanding and feel free to revert back for any further queries, thanks:)

https://github.com/actions/runner-images/blob/main/docs/create-image-and-azure-resources.md

@Prabhatkumar59
Copy link

@donk-msft , could you please comment on this resolution provided to you and whether your issue got resolved or not?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Prabhatkumar59 Prabhatkumar59

Labels
bug report OS: Ubuntu
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@donk-msft @RaviAkshintala @Prabhatkumar59