Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question]: @AzureFileCopy6 cannot find the storage account with WIF service connection if the UMI is in different subscription #20690

Open
1 of 4 tasks
hancheng-ms opened this issue Nov 26, 2024 · 16 comments

Comments

@hancheng-ms
Copy link

Task name

AzureFileCopy

Task version

6.248.3

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

MMS windows 2022

Question

My pipeline to upload file to blob storage hit this error: ##[error]Storage account: csdngpstorage not found. The selected service connection 'Service Principal' supports storage accounts of Azure Resource Manager type only.

I think the UMI has all necessary permissions (reader, container blob contributor and so on) to access this subscription. The task tried to set Set-AzContext against a different subscription where the storage account was not created in. This reminded me to an issue I hit before in my custom az script. Because we manually created the WIF service connection and use this single UMI to access all azure subscriptions in MS tenant, we just need to add the umi to be "reader" of these subs and it worked well for most devops pipelines. Except I need to add one line to select the right subscription context to the azCLI script to make it pick right subscription need to work on.

Does AzureFileCopy support this scenario? How can I pick the subscription in the AzureFileCopy? Do we need a feature change to this pipeline task?
@v-schhabra
Copy link
Contributor

Hi @hancheng-ms
Thanks for reporting this issue.
Could you pls share the complete pipeline logs by adding the variable "system.debug" to true?

@v-schhabra v-schhabra added the Area:RM RM task team label Nov 26, 2024
@hancheng-ms
Copy link
Author

Upload the log in this file, AzureFileCopy6.log, also if you are MS employee you can use this link https://microsoft.visualstudio.com/OSGCXE/_build/results?buildId=111440037&view=logs&j=d9011fe4-49d8-516e-6af1-e5afc7ba01d4&t=be5330e2-f88e-5b94-f22f-9affc1ee0a93

@v-schhabra
Copy link
Contributor

Hi @hancheng-ms
In the latest release we observed that the task is getting succeeded without any errors. Could you please let us know if the error is sporadic or not?
And did you made any changes in the task post that it started to succeed.

@hancheng-ms
Copy link
Author

hancheng-ms commented Dec 2, 2024

@v-schhabra I just used another non FIC service connection to unblock my deployment, you need check the previous running history in 20241126.1 I shared above

@v-schhabra
Copy link
Contributor

Thanks for responding. Will check this issue and keep you posted on the updates.

@v-vinaykoora
Copy link

@hancheng-ms We tried to repo the issue, but we didn't see any errors. Based on the error message which you have shared above.

We suspect you were not using ARM service connection or the storage account which you were using is classic storage account and not an ARM type.

Can you please verify and clarify on the above 2 queries

My pipeline to upload file to blob storage hit this error: ##[error]Storage account: csdngpstorage not found. The selected service connection 'Service Principal' supports storage accounts of Azure Resource Manager type only.

@hancheng-ms
Copy link
Author

hancheng-ms commented Dec 30, 2024

We use the arm service connection (workload identity federation with openid connect), and could you share the way to check if a storage account is classic or arm type? But I think the storage is the ARM type, I checked some document and the names of traditional storage account has the suffix '(classic)'.

@hancheng-ms
Copy link
Author

I can confirm now that all of our blob storages are v2 so they are ARM type. I also checked our azure custom role we assigned to the UMI in the blob storage, it has the same config as our role in PME. The pipeline runs well against PME tenant.

I can repo this issue in another pipeline https://microsoft.visualstudio.com/OSGCXE/_build/results?buildId=111391237&view=logs&j=d9011fe4-49d8-516e-6af1-e5afc7ba01d4&t=be5330e2-f88e-5b94-f22f-9affc1ee0a93. Did you place the UMI in another subscription when you tried to repro the error?

@v-vinaykoora
Copy link

@hancheng-ms Thanks for the information. Yes, for the classic storage accounts we will be having the suffix as classic beside them. Can you please also let us know what kind of role you assigned to UMI for the blob storage.

We have tried from our end where both the storage account and UMI are in same subscriptions. Can you please let us know are you using storage account in one subscription and UMI in another subscription and also please check whether this storage account "csdngpstorage" exists in azure portal.

@hancheng-ms
Copy link
Author

we assigned our custom role to the blob storage, I can share the role's config with you in Teams.

and No, our UMI and storage accounts are NOT in the same subscription, I guess this causes this error in our pipeline.

csdngpstorage exist, it is our one of our dev storage used for years.

@v-vinaykoora
Copy link

v-vinaykoora commented Jan 2, 2025

@hancheng-ms Yes, the issue is indeed caused by the mismatch in subscriptions. The User-Managed Identity (UMI) and the resources it is accessing, including the subscription, must reside within the same subscription.

Please create the UMI in the same subscription as the target resources. Once this alignment is complete, retry the task and let us know the results. If you face any further challenges, feel free to reach out for assistance.

@hancheng-ms
Copy link
Author

We cannot move or recreate this UMI because our FIC service connection is used for multiple azure subscriptions, can your team implement this feature to support multiple azure subscription scenario? Like add a new optional input "subscriptions" to choose which azure sub the script runs on.

@v-vinaykoora
Copy link

@hancheng-ms : Can you please let us know whether you have provided permissions to User Managed identity on the storage account and if yes, let us know what was the scope provided to it.

@hancheng-ms
Copy link
Author

hancheng-ms commented Jan 9, 2025

Yes, the UMI has permission to the storage account, we assigned our customer role to the UMI in the resource group which contains the storage account. So in the Storage container's IAM we can see the role assignment inherited from resource group. Also this UMI has reader permission to our subscriptions.

screenshot from the container's IAM
Image

@v-vinaykoora
Copy link

@hancheng-ms As per the screenshot you have provided, we don't need Key vault reader permission. Could you please provide the contributor permission for the managed identity and give a try of it.

We have tested in our local organization, and it was able to read the storage account details.

@hancheng-ms
Copy link
Author

hancheng-ms commented Jan 10, 2025

Please ignore the Key vault reader and other irrelevant permissions here, this FIC service connection is our main connection used in all of pipelines for kinds of deployments. We use our custom role to replace the "contributor" because "contributor" role is now restricted in MS production subsections.

This is a dev storage in a non-prod subsection, I can grant it contributor for testing. I tried to grant it contributor permission to the storage account, as I expected, the rerun failed and hit the same error,https://microsoft.visualstudio.com/OSGCXE/_build/results?buildId=113261027&view=logs&j=e45ccd40-c67e-55a4-69cb-0cefe33cabc5&t=48c30e4d-6c7c-5e11-7bf2-67334b5bec82

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants