[BUG] MPE error when not AuthZ on PE Azure resource

[Guust-Franssens]

Bug Description

When a user is not authorized to read the Azure resource for which the Private Endpoint is created then the CLI gives a cryptic error even though the Managed Private Endpoint (MPE) gets successfully created (ofc still need to be approved).

fabric-cli version

1.2.0

Python version

Python 3.12.9

Operating System

Windows

CLI Mode

Command line mode

Authentication Method

Service principal (secret)

Steps to Reproduce

On an existing Fabric workspace create a Managed Private Endpoint on a Azure Resource using the CLI with a user that is not Authorized to read the private endpoints connections of that resource.

In my scenario I was creating a MPE to an Azure Key Vault with a SPN. The SPN has full admin rights to the workspace, but has no permissions on the AKV.

WORKSPACE_NAME="ws1.workspace"
PE_KEYVAULT_RESOURCE_ID="/subscriptions/XXXX/resourceGroups/myrg/providers/Microsoft.KeyVault/vaults/mykeyvault"
fab create ${WORKSPACE_NAME}/.managedprivateendpoints/mpe1.ManagedPrivateEndpoint \
    -P targetprivatelinkresourceid=${PE_KEYVAULT_RESOURCE_ID},targetsubresourcetype=vault
Creating a new Managed Private Endpoint. It may take same time (waiting until provisioned)...
x create: [UnknownError] An unexpected error occurred while processing the request
∟ Request Id: d631414d-b63e-4fcd-afbc-d739346772c8

This successfully creates the MPE, although this is unclear from the error. The error is caused here:

fabric-cli/src/fabric_cli/utils/fab_cmd_mkdir_utils.py

Lines 736 to 739 in 7c7188c

	def find_mpe_connection(managed_private_endpoint, targetprivatelinkresourceid):
	args = Namespace()
	args.resource_uri = targetprivatelinkresourceid
	response = mpe_api.list_private_endpoints_by_azure_resource(args)

Traceback:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "C:\Users\gfranssens\vscode-projects\fabric-cli\src\fabric_cli\client\fab_api_client.py", line 167, in do_request
    raise FabricCLIError(
fabric_cli.core.fab_exceptions.FabricCLIError: [Forbidden] Access is forbidden. You do not have permission to access this resource

HTTP Request response 403:

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.KeyVault/vaults/privateEndpointConnections/read' over scope '/subscriptions/XXX/resourceGroups/myrg/providers/Microsoft.KeyVault/vaults/mykeyvault' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

Expected Behavior

MPE was successfully created, however the status cannot be checked.

Actual Behavior

WORKSPACE_NAME="ws1.workspace"
PE_KEYVAULT_RESOURCE_ID="/subscriptions/XXXX/resourceGroups/myrg/providers/Microsoft.KeyVault/vaults/mykeyvault"
fab create ${WORKSPACE_NAME}/.managedprivateendpoints/mpe1.ManagedPrivateEndpoint \
    -P targetprivatelinkresourceid=${PE_KEYVAULT_RESOURCE_ID},targetsubresourcetype=vault
Creating a new Managed Private Endpoint. It may take same time (waiting until provisioned)...
x create: [UnknownError] An unexpected error occurred while processing the request
∟ Request Id: d631414d-b63e-4fcd-afbc-d739346772c8

Additional Context

No response

Possible Solution

Error handling when making the request to check the Azure resource.

[Guust-Franssens]

@aviatco if the user does not have read access on the azure resource, the API call will return 403.
In my scenario when I gave my requesting identity the "Reader" role on the Azure resource the API call would return 200.

Steps to reproduce:

1. create a workspace with user B
2. create an azure keyvault with user A
3. create a MPE with the CLI to the Azure Keyvault with user B

The MPE will be create successfully at Workspace (Activation Succeeded, Approval Pending) however the CLI will give the error I showed above as user B is not allowed to read the Azure resource and the current codebase does not error handle this currently.

[aviatco]

/need-info

Hi @Guust-Franssens, I tried to reproduce it but was unable to.
I created an MPE using a user who has no permissions on the relevant Azure resource, and I received the bellow error (as expected):

x create: [LongRunningOperationFailed] Managed Private Endpoint was created on Fabric but encountered an issue on Azure provisioning. State: Failed

I would appreciate it if you could kindly share the exact steps you followed so I can better understand how you reached this error shown above:
x create: [UnknownError] An unexpected error occurred while processing the request

@ayeshurun I think we should improve the error message to indicate the user has no permission to the resource and change the state to Pending/ Pending approval, or something similar, instead of failed.

[Guust-Franssens]

@aviatco I cannot reproduce the error either. Getting now the same as you.
Probably was an error on my side from tinkering with the code trying to understand what was going on.

[Guust-Franssens]

How do we proceed? Should I rename the issue to a feature request to make the error more descriptive?

[aviatco]

/triaged

[microsoft-github-policy-service]

Triage has been completed for this issue.

[aviatco]

@Guust-Franssens As we’re unable to reproduce the issue, we’ll close it for now.
We will open a feature request to improve the error message and request state.
Thanks for bringing this to our attention.