You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per the documentation, it's possible to set the source image to an image published in a Shared Image Gallery. However, when attempting to use this functionality to retrieve an image in another subscription, an error is yielded as the subscriptionId in the request given is being rewritten to the context of where the VM resides.
As you'll see in the buildfile below, the source resourceId has the subscription as 8a9e52d5-7368-4b94-85f0-10e112fa0d68 - however, in the 403 error returned by Azure, Packer appears to be substituting this with the subscriptionId of where the build agent resides (bf875851-8d25-4c5a-82aa-ca16eaabe260).
The MSI attached to the build agent has the requisite permissions on the build agent's resource group - as well as 'Reader' over the SIG being referenced. When querying the same endpoint via curl, I'm able to get the required information about the images, as well as list both subscriptions the MSI has access to.
Reproduction Steps
Attempt to utilise any image from a SIG located in a subscription other than the one in which the VM resides.
Packer version
Appears this occurs in every version since SIGs were allowed as source (~1.5.6), up until the latest release.
2021/03/13 07:49:11 Waiting on builds to complete...2021/03/13 07:49:11 ui: ==> Wait completed after 154 milliseconds 22 microseconds2021/03/13 07:49:11 machine readable: error-count []string{"1"}2021/03/13 07:49:11 ui error: ==> Some builds didn't complete successfully and had errors:2021/03/13 07:49:11 machine readable: azure-chroot,error []string{"Error retrieving shared image version \"/subscriptions/8a9e52d5-7368-4b94-85f0-10e112fa0d68/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest\": compute.GalleryImageVersionsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client 'REDACTED' with object id 'REDACTED' does not have authorization to perform action 'Microsoft.Compute/galleries/images/versions/read' over scope '/subscriptions/bf875851-8d25-4c5a-82aa-ca16eaabe260/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest' or the scope is invalid. If access was recently granted, please refresh your credentials.\" "}2021/03/13 07:49:11 ui error: --> azure-chroot: Error retrieving shared image version "/subscriptions/8a9e52d5-7368-4b94-85f0-10e112fa0d68/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest": compute.GalleryImageVersionsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'REDACTED' with object id 'REDACTED' does not have authorization to perform action 'Microsoft.Compute/galleries/images/versions/read' over scope '/subscriptions/bf875851-8d25-4c5a-82aa-ca16eaabe260/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest' or the scope is invalid. If access was recently granted, please refresh your credentials." 2021/03/13 07:49:11 ui: ==> Builds finished but no artifacts were created.2021/03/13 07:49:11 [INFO] (telemetry) Finalizing.2021/03/13 07:49:11 Cancelling builder after context cancellation context canceled2021/03/13 07:49:11 waiting for all plugin processes to complete...2021/03/13 07:49:11 /usr/bin/packer-io: plugin process exited
The text was updated successfully, but these errors were encountered:
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Overview of the Issue
Per the documentation, it's possible to set the source image to an image published in a Shared Image Gallery. However, when attempting to use this functionality to retrieve an image in another subscription, an error is yielded as the
subscriptionId
in the request given is being rewritten to the context of where the VM resides.As you'll see in the buildfile below, the source
resourceId
has the subscription as8a9e52d5-7368-4b94-85f0-10e112fa0d68
- however, in the 403 error returned by Azure, Packer appears to be substituting this with thesubscriptionId
of where the build agent resides (bf875851-8d25-4c5a-82aa-ca16eaabe260
).The MSI attached to the build agent has the requisite permissions on the build agent's resource group - as well as 'Reader' over the SIG being referenced. When querying the same endpoint via
curl
, I'm able to get the required information about the images, as well as list both subscriptions the MSI has access to.Reproduction Steps
Attempt to utilise any image from a SIG located in a subscription other than the one in which the VM resides.
Packer version
Appears this occurs in every version since SIGs were allowed as source (~1.5.6), up until the latest release.
Simplified Packer Buildfile
Log Fragments and crash.log files
The text was updated successfully, but these errors were encountered: