ResourceModules icon indicating copy to clipboard operation
ResourceModules copied to clipboard

[Bug Report]: Publishing to private bicep registry fails due to incorrect subscription context

Open lsnoddy opened this issue 3 years ago • 3 comments

Describe the bug

During the Publish Stage of a module pipeline execution and within the "Publish module to private bicep registry" task, if a Tenant contains more than one active subscription for the service principal, the first subscription in the list is selected for use. If the private bicep registry exists in a subscription other than what has been selected by default, the service principal attempts to execute the Publish script (Publish-ModuleToPrivateBicepRegistry.ps1) against an unintended subscription. In a scenario where the service principal does not have the necessary permissions on the selected subscription, an error results: e.g.

"Operation returned an invalid status code 'Forbidden"

We need to be able to set the context to the desired subscription.

To reproduce

Run a module pipeline with the settings.yml file configured to publish to a private bicep registry in a Tenant with multiple active subscriptions associated with the service principal. Ensure the private bicep registry is located in a subscription other than the first listed available subscription to the service principal.

Code snippet

From jobs.publishModule.yml (lines 246-247)
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:servicePrincipalId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $env:tenantId -Credential $Credential

Relevant log output

No response

lsnoddy avatar Dec 19 '22 22:12 lsnoddy

I ran into this previously and added a additional variable for bicep_registry_subscription_id and a set-azcontext in the publish script. Maybe we can use something similar here and add it to the settings or secure variable group?

ChrisSidebotham avatar Dec 20 '22 11:12 ChrisSidebotham

Using a subscriptionid variable in a variable group for the desired registry subscription and then setting context in the publish script was my workaround as well.

lsnoddy avatar Dec 20 '22 14:12 lsnoddy

see #1085 --> needs to be done first

rahalan avatar Dec 20 '22 16:12 rahalan