azure-dev: `azd pipeline config` - Insufficient privileges to complete the operation
Describe the issue:
azd pipeline config
test fail.
The failure error is as follows:
Repro steps:
1.Run command azd up
2.Run command azd pipeline config
Environment:
-
OS : Linux desktop Template: todo-nodejs-mongo, todo-csharp-cosmos-sql , todo-nodejs-mongo-swa-func, todo-python-mongo, todo-python-mongo-swa-func
-
OS : CodeSpace Template: todo-csharp-cosmos-sql, todo-nodejs-mongo, todo-nodejs-mongo-aca, todo-nodejs-mongo-swa-func, todo-python-mongo, todo-python-mongo-aca, todo-python-mongo-swa-func
Expected behavior:
In Linux environment, when Azure CLI version is 2.38.0, azd pipeline config
test can success.
@rajeshkamal5050, @jongio for notification.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 34 (29 by maintainers)
Thank you @rajeshkamal5050
Both issues are sort of related, as they are both a side effect of the same Conditional Access Policy.
But it is OK to use both issues.
So, for
using a service principal
, I have checked what is the required permissions to be added to the service principal and they are:This access requires
admin consent
, so it won’t be possible to have it within Microsoft tenant. (Microsoft does not provide admin consent for testing applications).So, this test scenario for
using a service principal to log in (az login --service-principal)
won’t work when using any Azure subscription within Microsoft tenant.In order to use a service principal, please create a new Azure Subscription outside Microsoft tenant.
Here’s a way to do it:
Try Azure for free
(for personal account)or the
use credits in Azure to explore
(for @microsoft accounts)activate
instructions to set up a new Azure subscription.Go to API permissions and click Add permissions
Select Microsoft Graph
Select application permissions
Look for
Application.ReadWrite
and add itGrant Admin consent for <subscription>
. It should be enabled as you are the owner and admin of the tenant, so you can grant the permisionAt this point, the service principal is allowed to list/update/create service principals within the subscription. The next step is to assign the
User Access Administrator
role to the Service Principal within the subscription so it can assig roles/access within the Azure subscription.You should already know how to do this step, as it is the result of this: https://github.com/Azure/azure-dev/issues/197#issuecomment-1255779265 Note: You only need to add the
User Access Administrator
role forazd pipeline config
. But you might need theContributor
role for otherazd operations
Once you add the roles, you are ready to log in with
az login
using the Service Principal within the test subscription 😃Let me know if you try this and have any issues.
Removing blocker based on above update. Let us try to document it as a limitation based on
@vhvb1989 can you work with @puicchan to get it documented.