What Role Assignments Are Required For Bicep that assigns roles inside of Devops Pipeline?

Siegfried Heintze 1,861

I have a bicep file (https://github.com/siegfried01/SimplerServiceBusSendReceiveDemo/blob/master/infrastructure/deploy-ServiceBusSimpleSendReceive.bicep#L365 ) that calls a bicep module (https://github.com/siegfried01/SimplerServiceBusSendReceiveDemo/blob/master/infrastructure/assignRbacRoleToFunctionApp.bicep#L16)

This works to create a service bus and function app where the function app can read the service bus queue.

However, when I try to execute this bicep file from inside a devops pipeline (https://github.com/siegfried01/SimplerServiceBusSendReceiveDemo/blob/master/azure-pipelines.yml#L116), I get this error:

ERROR: {

  "status": "Failed",

  "error": {

    "code": "DeploymentFailed",

    "target": "/subscriptions/acc26051-92a5-4ed1-a226-64a187bc27db/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Resources/deployments/ServiceBusSimpleSendReceive",

    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",

    "details": [

      {

        "code": "InvalidTemplateDeployment",

        "message": "The template deployment failed with error: 'Authorization failed for template resource 'xxxxxxxxx' of type 'Microsoft.Authorization/roleAssignments'. The client 'xxxxxxx' with object id 'xxxx' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxxxxxb/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Authorization/roleAssignments/xxxxx'.'."

      }

    ]

  }

}

I assume I need to add 'Microsoft.Authorization/roleAssignments/write' to the service connection's service principal with the scope specified in the error message. Is this true?
I've tried to use the devops pipeline web GUI to modify the service connection. How do I do this? When I click on "managed service connection roles" it takes me to my subscription. Why? I (think I) want to add a "write" role to the service principal, not the subscription!
When I click on manage service principal it takes me to the service principal in azure AD. I click on "Roles and administrators" and there is no way add this 'write' role.
I think I would prefer to add 'Microsoft.Authorization/roleAssignments/write' with the azure CLI. How do I do that? Can I use the azure cli to create a new service principal with the scope of the resource group and the appropriatly assigned roles and use that for the service connection for my pipeline?

Thanks

Siegfried

2 answers

Deepanshu katara 5,145

Hi , Welcome to MS Q&A , you can perform below steps for your query

Identify the Service Principal: First, you need to identify the service principal used by your Azure DevOps pipeline. You can find this information in the Azure DevOps pipeline settings.
Assign Role: Once you have the service principal's details, you can use the Azure CLI to assign the required role. You can use the az role assignment create command to
```
   az role assignment create --role "Owner" --assignee <service_principal_id> --scope /subscriptions/xxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive
   
```
Replace <service_principal_id> with the actual ID of your service principal.
Verify: After assigning the role, you can verify if the assignment was successful by checking the role assignments for the specified scope using the az role assignment list command.

By doing this, you're granting the necessary permission for the service principal to perform role assignments within the specified scope, resolving the error you encountered during the deployment.

Kindly check and accept , if it helps , Thanks!

Deepanshu katara 5,145 Reputation points

2024-04-29T09:51:19.5266667+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Siegfried Heintze 1,861 Reputation points

2024-04-29T22:03:03.6033333+00:00
Here is what I tried and I still received the exact same error message:

In Azure Deveops (ADO) I went to project settings to try to configure my service connection and clicked on Manage Service Principal. This takes me to the app registration. I found this very confusing because I could figure out how to add the "owner" role using this page. Should I be able to click on "Roles and Administrators" and add a role? What about "App Roles".

So I issued the command az ad sp list --display-name "sheintze-devopsdemoproject001-accxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and observed that I have two service principals with the same display name! Should I be concerned?

Then I did

$id=(az ad sp list --display-name "sheintze-devopsdemoproject001- accxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx " --query "[0].id" --output tsv) write-output "id=$id" az role assignment create --role "Owner" --assignee $id --scope "/subscriptions/

(4) I executed a similar command to assign "Owner" to the second service principal as well (by changing the "--query" array index).

(5) I restart the pipeline and get the exact same error!

(6) What is this link supposed to do? When I click it, it takes me to my subscription. Is this link broken? Looks like I should be able to click on this link and add the "Owner" role to my service principal but that cannot be done on the web page for my azure subscription.

Thank you for your wonderfully prompt response!

Siegfried
Deepanshu katara 5,145 Reputation points

2024-04-30T07:23:15.35+00:00
Hi , I think role assignment command not working as needed , did you verify that your spn got owner role to subscription , you can verify that from IAM blade of subscription

Also please once try assigning role using below command

az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role owner --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup

Make sure here object-id is application ID like in below image

Successful ref Image

kindly check and let us know , Thanks
Deepanshu katara 5,145 Reputation points

2024-04-30T07:23:32.2966667+00:00

please check and let us know

Siegfried Heintze 1,861

So I changed my az cli to get the appid instead of the id:

$appid=(az ad sp list --display-name "sheintze-devopsdemoproject001-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --query "[1].appId" --output tsv)
write-output "appid=$appid"
az role assignment create --role "Owner" --assignee $appid --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive"
appid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "createdOn": "2024-04-29T20:28:09.273692+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "principalName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "principalType": "ServicePrincipal",
  "resourceGroup": "rg_ServiceBusSimpleSendReceive",
  "roleDefinitionId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "roleDefinitionName": "Owner",
  "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "updatedOn": "2024-04-29T20:28:09.273692+00:00"
}

I confirmed that the appid matches the appid in the app registration page.

Then I ran the pipeline again and now I am getting a different error:

ERROR: {
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "target": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Resources/deployments/ServiceBusSimpleSendReceive",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "Conflict",
        "target": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Web/sites/aryxbqmevvg3e-func/deployments/73236288f08d4694a60c7016deb6b26b",
        "message": "{\r\n  \"Message\": \"Deployment with id '73236288f08d4694a60c7016deb6b26b' exists\"\r\n}"
      },
      {
        "code": "BadRequest",
        "target": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive/providers/Microsoft.Web/sites/aryxbqmevvg3e-func/functions/SimpleServiceBusReceiver",
        "message": "{\r\n  \"Code\": \"BadRequest\",\r\n  \"Message\": \"Encountered an error (InternalServerError) from host runtime.\",\r\n  \"Target\": null,\r\n  \"Details\": [\r\n    {\r\n      \"Message\": \"Encountered an error (InternalServerError) from host runtime.\"\r\n    },\r\n    {\r\n      \"Code\": \"BadRequest\"\r\n    },\r\n    {\r\n      \"ErrorEntity\": {\r\n        \"Code\": \"BadRequest\",\r\n        \"Message\": \"Encountered an error (InternalServerError) from host runtime.\"\r\n      }\r\n    }\r\n  ],\r\n  \"Innererror\": null\r\n}"
      }
    ]
  }
}

Thanks!

Siegfried

Siegfried Heintze 1,861

Bicep runs fine from my powershell prompt!

Here is the YAML for the azure devops pipeline. Sorry, I have not taken out all of my debug statements yet. I know it is dying inside my bicep because I see the bicep warnings concerning the bicep variables I declare but don't use (yet).

# .NET Core Function App to Windows on Azure
# Build a .NET Core function app and deploy it to Azure as a Windows function App.
# Add steps that analyze code, save build artifacts, deploy, and more:
# https://docs.microsoft.com/en-us/azure/devops/pipelines/languages/dotnet-core
#trigger:
#- master
variables:
  # Azure Resource Manager connection created during pipeline creation
  azureSubscription: 'Siegfried Azure Connection'
  # Function app name
  functionAppName: '4n3tzjp5hf23g-func'
  # Agent VM image name
  vmImageName: 'windows-2019'
  # Working Directory
  workingDirectory: '$(System.DefaultWorkingDirectory)'
stages:
- stage: Build
  displayName: Build stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    # Builds in release, and then outputs the files to a new location
    # and then zips it to a file with the name $(Build.BuildId).zip
    - task: DotNetCoreCLI@2
      displayName: Build and Zip Function
      inputs:
        command: publish
        workingDirectory: $(workingDirectory)
        arguments: '--configuration Release --nologo --output $(Pipeline.Workspace)/publish_output/$(Build.BuildId)'
        zipAfterPublish: true
        publishWebProjects: false
        modifyOutputPath: false
    - task: Bash@3
      displayName: 'Confirm location of bicep files'
      inputs:
        targetType: 'inline'
        script: |
          cd $(workingDirectory)
          echo "show $PWD"
          ls -al
          find . -name \*.bicep
          cd infrastructure
          echo "show $PWD"
          ls -al
    
    # copy files from the `infrastucture` folder to the newlycreated $(Build.BuildId)
    # folder. This will create the TargetFolder if it doesn't exist.
    - task: CopyFiles@2
      displayName: Copy Infrastructure files
      inputs:
        SourceFolder: $(workingDirectory)/infrastructure
        TargetFolder: $(Pipeline.Workspace)/publish_output/$(Build.BuildId)/infrastructure
    # if you want the warm and fuzzies, this should list recursively 
    # all the files in the $(Build.BuildId) folder.
    - task: Bash@3
      displayName: 'Confirm location of bicep files'
      inputs:
        targetType: 'inline'
        script: |
          echo "Show all contents of the output folder"
          ls -alR '$(Pipeline.Workspace)/publish_output/$(Build.BuildId)'
    # copy all the files in the $(Build.BuildId) folder to the pipeline
    # storage area. You can verify this by looking at the published artifacts
    # tab on a successful build.
    - task: PublishPipelineArtifact@1
      displayName: Publish App and Infra
      inputs:
        targetPath: $(Pipeline.Workspace)/publish_output/$(Build.BuildId)
        artifact: drop
        publishLocation: pipeline
- stage: Deploy
  displayName: Deploy stage
  dependsOn:
  - Build
  condition: succeeded()
  jobs:
  - deployment: Deploy
    displayName: Deploy
    environment:
      name: 'development'
    pool:
      vmImage: $(vmImageName)
    strategy:
      runOnce:
        deploy:
          steps:
          # This task will assume that the provided group already exists. 
          # That's a manual process though, unless there is some other
          # automation that creates it for you. If it needs to be manually 
          # created, then you need to come up with a subscription deployment
          # rather than a group deployment.
          - task: AzureCLI@2
            displayName: 'Deploy Azure Resources with Azure Deployment Group'
            inputs:
              azureSubscription: 'Siegfried Azure Connection'
              scriptType: 'pcore'
              scriptLocation: 'inlineScript'
              inlineScript: |
                echo 'show default directory'
                ls 
                cd $(Pipeline.Workspace)\drop\infrastructure
                echo 'Show Directory $(PWD)'
                ls 
                az deployment group create --name ServiceBusSimpleSendReceive --resource-group rg_ServiceBusSimpleSendReceive --template-file deploy-ServiceBusSimpleSendReceive.bicep
          # publishes the function app and restarts it.
          - task: AzureFunctionApp@1
            displayName: 'Azure functions app deploy'
            inputs:
              azureSubscription: '$(azureSubscription)'
              appType: functionApp
              appName: $(functionAppName)
              package: '$(Pipeline.Workspace)/drop/$(Build.BuildId).zip'

Deepanshu katara 5,145 Reputation points

2024-04-30T15:40:15.5833333+00:00

Hi , if bicpes runs fine with PS then I think not issue with bicep we can ignore the warnings , please try to re run pipe and check again and see what error we get next also if possible try to delete the failed deployment from deployment list in Resource Group and then run the pipe and check
Siegfried Heintze (ARTECH CONSULTING LLC) 0 Reputation points Microsoft Vendor

2024-04-30T15:54:40.6266667+00:00

Deepanshu:

I have tried deleting all the sources in the resource group before running my pipeline again and that does not help. I'm getting the same error that I got a few hours ago that I posted (scroll up).

Siegfried
Siegfried Heintze 1,861 Reputation points

2024-04-30T17:18:02.9966667+00:00

Hooray! It works. Why did it not work earlier this morning. I don't know!

This is weird: adding the role assignment to the service principal id did not create an error! Why not?

Adding the role assignment to the service principal client id (appid) did the trick eventually (after 2-3 tries).

Can someone point me to the documentation somewhere that says you want to apply it to the appid ?

Give me a little more time, maybe a day, to confirm that this is working consistently.

Now it is true that I expressed a preference for using the azure cli instead of the devops GUI and the azure cli seems to be working. Should I have been able to assign a rule using the devops/pipeline web page?

I tried and could not make that work.

Thanks you Ryan and Deepanshu!
Deepanshu katara 5,145 Reputation points

2024-04-30T17:26:35.08+00:00

Ok Great Siegfried , it happens sometime but anyways as azure Resource Manager sometimes caches configurations and data to improve performance but anyway it worked eventually so request you to please accept answer when you can (you can do later) but incase of you need any further help, please let us know happy to help

Thanks
Deepanshu katara 5,145 Reputation points

2024-05-02T04:54:46.1+00:00

@siegfried , can you please accept answer or update on this , Thankyou!
Siegfried Heintze 1,861 Reputation points

2024-05-02T13:06:25.9733333+00:00

See designated answer below.

Siegfried Heintze 1,861 Reputation points

2024-05-02T13:05:04.4966667+00:00
For future readers (which might even include me some day!):

Since Deepanshu katara solved the problem but the actual solutions appears in the comments above and not the proposed solution, I'm designating this as the answer instead:

$appid=(az ad sp list --display-name "sheintze-devopsdemoproject001-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --query "[0].appId" --output tsv) write-output "appid=$appid" az role assignment create --role "Owner" --assignee $appid --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg_ServiceBusSimpleSendReceive"

Originally, I was using ".id" instead of ".appid" and that was not working.

sheintze-devopsdemoproject001-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is the name of the service principal created by the devops pipeline web page when my colleague helped me create a new service connection in the devops web page.

Also, I had to run the pipeline multiple times before it started working with the above solution. Maybe there was a caching problem or something.

It seems that this is something the devops pipeline web page should do for you with the GUI. Perhaps it is broken?

Thank you Deepanshu katara

Siegfried
Please sign in to rate this answer.

0 comments No comments
Sign in to comment