Azure Chroot Builder - Image source subscriptionId being rewritten by Packer

[MrCaedes]

Overview of the Issue

Per the documentation, it's possible to set the source image to an image published in a Shared Image Gallery. However, when attempting to use this functionality to retrieve an image in another subscription, an error is yielded as the subscriptionId in the request given is being rewritten to the context of where the VM resides.

As you'll see in the buildfile below, the source resourceId has the subscription as 8a9e52d5-7368-4b94-85f0-10e112fa0d68 - however, in the 403 error returned by Azure, Packer appears to be substituting this with the subscriptionId of where the build agent resides (bf875851-8d25-4c5a-82aa-ca16eaabe260).

The MSI attached to the build agent has the requisite permissions on the build agent's resource group - as well as 'Reader' over the SIG being referenced. When querying the same endpoint via curl, I'm able to get the required information about the images, as well as list both subscriptions the MSI has access to.

Reproduction Steps

Attempt to utilise any image from a SIG located in a subscription other than the one in which the VM resides.

Packer version

Appears this occurs in every version since SIGs were allowed as source (~1.5.6), up until the latest release.

Simplified Packer Buildfile

{
    "description": "DNS Resolver Image",
    "builders": [{
      "type": "azure-chroot",
      "image_resource_id": "/subscriptions/{{vm `subscription_id`}}/resourceGroups/{{vm `resource_group`}}/providers/Microsoft.Compute/images/DnsImage-{{timestamp}}",
      "source": "/subscriptions/8a9e52d5-7368-4b94-85f0-10e112fa0d68/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest",
      "mount_options": ["nouuid"],
      "copy_files": ["/etc/resolv.conf"],
      "os_disk_size_gb": 30,
      "mount_partition": 2
    }],
    "provisioners": []
}

Log Fragments and crash.log files

2021/03/13 07:49:11 Waiting on builds to complete...
2021/03/13 07:49:11 ui: 
==> Wait completed after 154 milliseconds 22 microseconds
2021/03/13 07:49:11 machine readable: error-count []string{"1"}
2021/03/13 07:49:11 ui error: 
==> Some builds didn't complete successfully and had errors:
2021/03/13 07:49:11 machine readable: azure-chroot,error []string{"Error retrieving shared image version \"/subscriptions/8a9e52d5-7368-4b94-85f0-10e112fa0d68/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest\": compute.GalleryImageVersionsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client 'REDACTED' with object id 'REDACTED' does not have authorization to perform action 'Microsoft.Compute/galleries/images/versions/read' over scope '/subscriptions/bf875851-8d25-4c5a-82aa-ca16eaabe260/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest' or the scope is invalid. If access was recently granted, please refresh your credentials.\" "}
2021/03/13 07:49:11 ui error: --> azure-chroot: Error retrieving shared image version "/subscriptions/8a9e52d5-7368-4b94-85f0-10e112fa0d68/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest": compute.GalleryImageVersionsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'REDACTED' with object id 'REDACTED' does not have authorization to perform action 'Microsoft.Compute/galleries/images/versions/read' over scope '/subscriptions/bf875851-8d25-4c5a-82aa-ca16eaabe260/resourceGroups/InfrastructureProvisioning/providers/Microsoft.Compute/galleries/GoldenImages/images/CentOS/versions/latest' or the scope is invalid. If access was recently granted, please refresh your credentials." 
2021/03/13 07:49:11 ui: 
==> Builds finished but no artifacts were created.
2021/03/13 07:49:11 [INFO] (telemetry) Finalizing.
2021/03/13 07:49:11 Cancelling builder after context cancellation context canceled
2021/03/13 07:49:11 waiting for all plugin processes to complete...
2021/03/13 07:49:11 /usr/bin/packer-io: plugin process exited

[ghost]

This issue has been automatically migrated to hashicorp/packer-plugin-azure#51 because it looks like an issue with that plugin. If you believe this is not an issue with the plugin, please reply to hashicorp/packer-plugin-azure#51.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.