-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access Denied during export on Azure Virtual Desktop #380
Comments
@mwsutherland The error is raised by running the underlying |
It is the public cloud. Is there a way I can call this azlist more directly to see what happens on each machine? |
I should mention that commands like |
@mwsutherland Yes, you can install Alternatively, you should also be able to use a service principal by following https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret |
I'll check out those references and let you know how it goes. A teammate experienced the issue on his AVD VM. |
@mwsutherland You can probably try to get the access token that az cli provides you by |
Running the azlist command, as expected, worked on the laptop and gave the same error output as above on the AVD. I'll see what I can find about the token... |
Comparing the tokens, some expected (to me) differences are iat, nbf, exp, deviceid and ipaddr. The aio and uti are different (don't know what they are, so don't know if that is expected). The amr on the laptop has rsa and mfa but, on the AVD, it also has pwd. Everything else is the same. |
I realized that on AVD, the authentication being used is MSI, i.e. the identity of the VM is used instead of your user account. The order of the auth chain is defined at: https://github.com/Azure/azure-sdk-for-go/blob/063592ec46734bd61c1a431e6df361c456df1946/sdk/azidentity/default_azure_credential.go#L37. So you'll need to assign a proper role for the VM's identity (e.g. Reader under the subscription). Arguably, we shall be able to select what method to use for auth, whilst it appears to be a missing feature in current Azure SDK. Hence sent a feature request for that: Azure/azure-sdk-for-go#20502 |
Thanks for tracking that down! |
I have assigned contributor privileges for the vm's system assigned managed identity on the subscription and tried but same error. |
@Dhruv-1982 The assigned role will need some time to propagate, does the same error occur after waiting a while? |
Tried after an hour of assigning privileges but same error. Will try again after few hours again. |
@Dhruv-1982 It won't take hours per my experience, something else went wrong. Did you assign the contributor role to the right scope (e.g. the subscription where the target resource resides in)? |
Yes i provided contributor role in the subscription where the resource resides. |
Does your VM happen to also have user assigned identities, which is effectively used during MSI auth? |
I just created and assigned user assigned managed identity and provided contributor privileges in subscription and added in vm identity too. but same error |
What does |
Do we have any installer/ .exe for azlist? |
@Dhruv-1982 No, see my comment: #380 (comment) |
I have been using aztfexport on my laptop and thought I would try it on my Azure Virtual Desktop in the hope that it would go faster with reduced latency. Instead, I get an error.
Both are Windows 10. Both are using the latest versions as of today (aztfexport v0.11, terraform 1.3.9, azure-cli 2.46). With both, I do an
azlogin
as the same user andaz account set --subscription
to the same subscription. On my laptop, things work fine. On my AVD, I get:Microsoft Azure Export for Terraform
listing resource set: executing ARG query "Resources | where resourceGroup =~ "rg-gsu.gassouth.me" | order by id
desc": POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources
RESPONSE 403: 403 Forbidden
ERROR CODE: AccessDenied
{
"error": {
"code": "AccessDenied",
"message": "Please provide below info when asking for support: timestamp = 2023-03-27T17:28:58.0470414Z,
correlationId = 98c93625-761a-44b7-bab0-eeed00ebec4e.",
"details": [
{
"code": "AccessDenied",
"message": "Access is denied to the requested resource. The user might not have enough permission."
}
]
}
}
There must be a difference between the two, but I don't know where else to look. Any suggestions?
The text was updated successfully, but these errors were encountered: