Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60998

Azure VM Agents is using incorrect subscription id

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • _unsorted
    • None
    • Jenkins ver. 2.204.2
      Plugin-Version: 1.4.0

      Setup :

      Jenkins running on Azure VMSS with User Assigned Identity

      As log as the user assigned identity has permission on single subscription it's working fine.

       

      however whenever granting the identity additional permissions on different subscriptions (to use shared image galary from different subscription for example), the plugin seems starts to mix the subscription id related to the jenkins vm with other subscription ids that the assigned user has permission on

       

      resulting the plugin to look into the resource group that needs to create on-demand node on using different subscription id which doesn't belong to the correct subscription which the master vm on

       

      For example the below error

       

      2020-02-06 12:48:45.068+0000 [id=75] WARNING c.m.a.v.AzureVMAgentCleanUpTask#cleanLeakedResources: AzureVMAgentCleanUpTask: cleanLeakedResources: failed to clean leaked resources
com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials.

       

      Here the master VM subscription id is 9704c182-c080-4d46-818c-b13c6fd14ff9  and the resource group  Corecard-uat-jenkins  belongs to the same subscription

      and the user identity [f014155c-4c3f-4f39-ac68-f6f1d80ecb4e]  has read permission on [33624c78-bcdf-49df-bf49-fbe14947a438] and owner permission on [9704c182-c080-4d46-818c-b13c6fd14ff9]

      From jenkins master.

[root@Jenkins000001 instances]# curl -s -H Metadata:True "http://169.254.169.254/metadata/instance?api-version=2017-08-01&format=json" | jq .compute.subscriptionId
"9704c182-c080-4d46-818c-b13c6fd14ff9"

       

            azure_devops Azure DevOps
            allomani Ali Allomani
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: