[JIRA] (JENKINS-60998) Azure VM Agents is using incorrect subscription id

8 views
Skip to first unread message

ali.allomani@gmail.com (JIRA)

unread,
Feb 6, 2020, 8:32:03 AM2/6/20
to jenkinsc...@googlegroups.com
Ali Allomani created an issue
 
Jenkins / New Feature JENKINS-60998
Azure VM Agents is using incorrect subscription id
Issue Type: New Feature New Feature
Assignee: Azure DevOps
Components: azure-vm-agents-plugin
Created: 2020-02-06 13:31
Environment: Jenkins ver. 2.204.2
Plugin-Version: 1.4.0
Priority: Major Major
Reporter: Ali Allomani

Setup :

Jenkins running on Azure VMSS with User Assigned Identity

As log as the user assigned identity has permission on single subscription it's working fine.

 

however whenever granting the identity additional permissions on different subscriptions (to use shared image galary from different subscription for example), the plugin seems starts to mix the subscription id related to the jenkins vm with other subscription ids that the assigned user has permission on

 

resulting the plugin to look into the resource group that needs to create on-demand node on using different subscription id which doesn't belong to the correct subscription which the master vm on

 

For example the below error

 

2020-02-06 12:48:45.068+0000 [id=75] WARNING c.m.a.v.AzureVMAgentCleanUpTask#cleanLeakedResources: AzureVMAgentCleanUpTask: cleanLeakedResources: failed to clean leaked resources
com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' with object id 'f014155c-4c3f-4f39-ac68-f6f1d80ecb4e' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/resources/read' over scope '/subscriptions/33624c78-bcdf-49df-bf49-fbe14947a438/resourceGroups/Corecard-uat-jenkins' or the scope is invalid. If access was recently granted, please refresh your credentials.

 

Here the master VM subscription id is 9704c182-c080-4d46-818c-b13c6fd14ff9  and the resource group  Corecard-uat-jenkins  belongs to the same subscription

and the user identity [f014155c-4c3f-4f39-ac68-f6f1d80ecb4e]  has read permission on [33624c78-bcdf-49df-bf49-fbe14947a438] and owner permission on [9704c182-c080-4d46-818c-b13c6fd14ff9]

From jenkins master.

[root@Jenkins000001 instances]# curl -s -H Metadata:True "http://169.254.169.254/metadata/instance?api-version=2017-08-01&format=json" | jq .compute.subscriptionId
"9704c182-c080-4d46-818c-b13c6fd14ff9"

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

ali.allomani@gmail.com (JIRA)

unread,
Feb 7, 2020, 11:43:02 AM2/7/20
to jenkinsc...@googlegroups.com
Ali Allomani updated an issue
 
Jenkins / Bug JENKINS-60998
Change By: Ali Allomani
Issue Type: New Feature Bug

ali.allomani@gmail.com (JIRA)

unread,
Feb 24, 2020, 11:26:03 AM2/24/20
to jenkinsc...@googlegroups.com

vscjenkins@microsoft.com (JIRA)

unread,
Feb 25, 2020, 10:01:02 PM2/25/20
to jenkinsc...@googlegroups.com

Hi Chang Li, maybe you can take a took?
Reply all
Reply to author
Forward
0 new messages