-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Jenkins ver. 2.204.2
Plugin-Version: 1.4.0
Setup :
Jenkins running on Azure VMSS with User Assigned Identity
As log as the user assigned identity has permission on single subscription it's working fine.
however whenever granting the identity additional permissions on different subscriptions (to use shared image galary from different subscription for example), the plugin seems starts to mix the subscription id related to the jenkins vm with other subscription ids that the assigned user has permission on
resulting the plugin to look into the resource group that needs to create on-demand node on using different subscription id which doesn't belong to the correct subscription which the master vm on
For example the below error
2020-02-06 12:48:45.068+0000 [id=75] WARNING c.m.a.v.AzureVMAgentCleanUpTask#cleanLeakedResources: AzureVMAgentCleanUpTask: cleanLeakedResources: failed to clean leaked resources com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials.
Here the master VM subscription id is 9704c182-c080-4d46-818c-b13c6fd14ff9 and the resource group Corecard-uat-jenkins belongs to the same subscription
and the user identity [f014155c-4c3f-4f39-ac68-f6f1d80ecb4e] has read permission on [33624c78-bcdf-49df-bf49-fbe14947a438] and owner permission on [9704c182-c080-4d46-818c-b13c6fd14ff9]
From jenkins master. [root@Jenkins000001 instances]# curl -s -H Metadata:True "http://169.254.169.254/metadata/instance?api-version=2017-08-01&format=json" | jq .compute.subscriptionId "9704c182-c080-4d46-818c-b13c6fd14ff9"