Azure
[Issue] UnmatchedPrincipalType in .NET Aspire application with azd provision in GitHub action
In a GitHub action I see this error on azd provision:
(✓) Done: Resource group: rg-codebreaker-08-dev
(✓) Done: Log Analytics workspace: law-ssengodjcf2mu
(✓) Done: Container Registry: acrssengodjcf2mu
(✓) Done: Key Vault: cbcosmoskvssengodjcf2mu
(✓) Done: Container Apps Environment: cae-ssengodjcf2mu
ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:
Deployment Error Details:
UnmatchedPrincipalType: The PrincipalId '[31](https://github.com/CodebreakerApp/chapter8/actions/runs/8399923022/job/23006615246#step:8:32)f0a1d[34](https://github.com/CodebreakerApp/chapter8/actions/runs/8399923022/job/23006615246#step:8:35)db54e05a7dc[39](https://github.com/CodebreakerApp/chapter8/actions/runs/8399923022/job/23006615246#step:8:40)70ccf5729a' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'.
The error message also contains a typo: PrinciaplType
This is the .NET Aspire app model used:
var builder = DistributedApplication.CreateBuilder(args);
string dataStore = builder.Configuration["DataStore"] ?? "InMemory";
builder.AddAzureProvisioning();
var cosmos = builder.AddAzureCosmosDB("cbcosmos")
.AddDatabase("codebreaker");
var gameAPIs = builder.AddProject<Projects.Codebreaker_GameAPIs>("gameapis")
.WithReference(cosmos)
.WithEnvironment("DataStore", dataStore);
builder.AddProject<Projects.CodeBreaker_Bot>("bot")
.WithReference(gameAPIs);
builder.Build().Run();
I did azd init and azd pipeline config (after creating a .github/workflows folder in the src directory).
This is the GitHub Actions workflow:
name: Codebreaker Deploy
on:
workflow_dispatch:
push:
branches:
- main
paths:
- 'src/**'
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./src
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install azd
uses: Azure/[email protected]
# temporary version for daily build
- name: Update workloads
run: dotnet workload update --skip-sign-check --source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json
- name: Install .NET Aspire workload
run: dotnet workload install aspire --skip-sign-check --source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json
- name: Log in with Azure (Federated Credentials)
if: ${{ env.AZURE_CLIENT_ID != '' }}
run: |
azd auth login `
--client-id "$Env:AZURE_CLIENT_ID" `
--federated-credential-provider "github" `
--tenant-id "$Env:AZURE_TENANT_ID"
shell: pwsh
- name: Log in with Azure (Client Credentials)
if: ${{ env.AZURE_CREDENTIALS != '' }}
run: |
$info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
Write-Host "::add-mask::$($info.clientSecret)"
azd auth login `
--client-id "$($info.clientId)" `
--client-secret "$($info.clientSecret)" `
--tenant-id "$($info.tenantId)"
shell: pwsh
env:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
- name: Provision Infrastructure
run: azd provision --debug --no-prompt
- name: Deploy Application
run: azd deploy --no-prompt
See this repo: https://github.com/CodebreakerApp/chapter8/
Versions locally: azd version 1.7.0 (commit 49d6adc2efb178083f61822e6b4715258560803d) aspire 8.0.0-preview.5.24170.4/8.0.100 SDK 8.0.200
When I'm not using AddCosmosDB, the solution publishes successfully using the GitHub action. Adding AddCosmosDB is successful running it locally but fails with the GitHub action as described.
@vhvb1989 can you take a look? seems related to https://github.com/Azure/azure-dev/issues/2427
@rajeshkamal5050 - not completely, because I didn't add a Bicep file and let everything autogenerate. Maybe this could be an issue with the manifest coming from Aspire?
It is similar to #2427 , but not the same.
context for this issue: There are some services which require storing the connection string as a secret in Key Vault. For example, to create a cosmosDB service, azd appends a keyvault to the infrastructure as a dependency for the cosmosDB. The Key Vault account is created and passed as parameter to a bicep module that creates the cosmosDB and set the connection string as a secret in the key vault account. This strategy is required because we can't use secured outputs in bicep, so instead of having the connection string as an output, the output is just the key vault endpoint and the name of the secret. Then, during deployment, azd can fetch the secret from the key vault, but the user running azd requires read-access role for the key vault account, which is given during the deployment. The problem is that, on CI/CD, the user that is logged to azd is a service principal, which breaks the read access role assignation.
To enable your CI/CD scenario, you need to run azd infra synth and then go to infra/resources.bicep and update the role assignment to be service principal instead of user.
For a real solution, we need to explore how to enable the case. IIRC, we can remove the type from the role assignment and then it would work in both places.
Hi @christiannagel. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @christiannagel, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.