Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60998

Azure VM Agents is using incorrect subscription id

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      Jenkins ver. 2.204.2
      Plugin-Version: 1.4.0
    • Similar Issues:

      Description

      Setup :

      Jenkins running on Azure VMSS with User Assigned Identity

      As log as the user assigned identity has permission on single subscription it's working fine.

       

      however whenever granting the identity additional permissions on different subscriptions (to use shared image galary from different subscription for example), the plugin seems starts to mix the subscription id related to the jenkins vm with other subscription ids that the assigned user has permission on

       

      resulting the plugin to look into the resource group that needs to create on-demand node on using different subscription id which doesn't belong to the correct subscription which the master vm on

       

      For example the below error

       

      2020-02-06 12:48:45.068+0000 [id=75] WARNING c.m.a.v.AzureVMAgentCleanUpTask#cleanLeakedResources: AzureVMAgentCleanUpTask: cleanLeakedResources: failed to clean leaked resources
      com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials.

       

      Here the master VM subscription id is 9704c182-c080-4d46-818c-b13c6fd14ff9  and the resource group  Corecard-uat-jenkins  belongs to the same subscription

      and the user identity [f014155c-4c3f-4f39-ac68-f6f1d80ecb4e]  has read permission on [33624c78-bcdf-49df-bf49-fbe14947a438] and owner permission on [9704c182-c080-4d46-818c-b13c6fd14ff9]

      From jenkins master.
      
      [root@Jenkins000001 instances]# curl -s -H Metadata:True "http://169.254.169.254/metadata/instance?api-version=2017-08-01&format=json" | jq .compute.subscriptionId
      "9704c182-c080-4d46-818c-b13c6fd14ff9"

       

        Attachments

          Activity

          Hide
          allomani Ali Allomani added a comment -

          Jie Shen maybe you can take a look into this ?

          Show
          allomani Ali Allomani added a comment - Jie Shen maybe you can take a look into this ?
          Hide
          azure_devops Azure DevOps added a comment -

          Hi Chang Li, maybe you can take a took?

          Show
          azure_devops Azure DevOps added a comment - Hi Chang Li , maybe you can take a took?
          Hide
          rafa_nab Rafa Pizzi added a comment - - edited

          We are having the same issues here.

          Ali Allomani, did you get any work around it?

          Azure DevOps, this is a very concerning bug. Once we assigned our manage identity access to another subscriptions, the whole thing stopped working

           

          Show
          rafa_nab Rafa Pizzi added a comment - - edited We are having the same issues here. Ali Allomani , did you get any work around it? Azure DevOps , this is a very concerning bug. Once we assigned our manage identity access to another subscriptions, the whole thing stopped working  
          Hide
          timja Tim Jacomb added a comment -

          All issues have been transferred to GitHub.

          See https://github.com/jenkinsci/azure-vm-agents-plugin/issues

          Search the issue title to find it.

          (This is a bulk comment and can't link to the specific issue)

          Show
          timja Tim Jacomb added a comment - All issues have been transferred to GitHub. See https://github.com/jenkinsci/azure-vm-agents-plugin/issues Search the issue title to find it. (This is a bulk comment and can't link to the specific issue)

            People

            Assignee:
            azure_devops Azure DevOps
            Reporter:
            allomani Ali Allomani
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: