You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A clear and concise description of what the bug is.
If you deploy CoA with BatchNodesSubnetId, the managed Identity don't have permission to create NodePool on Vnet for azbatch nodes. Workflow will fail with "FailureReason": "UnknownError",
"SystemLogs": [
"Operation returned an invalid status code 'BadRequest'",
" at Microsoft.Azure.Batch.Protocol.BatchRequestBase2.ExecuteRequestAsync()\n at Microsoft.Azure.Batch.ProtocolLayer.ProcessAndExecuteBatchRequest[TResponse](IBatchRequest1 request, BehaviorManager bhMgr)\n at Microsoft.Azure.Batch.CloudJob.CommitAsync(IEnumerable`1 additionalBehaviors, CancellationToken cancellationToken)\n at TesApi.Web.AzureProxy.CreateBatchJobAsync(String jobId, CloudTask cloudTask, PoolInformation poolInformation) in D:\a\1\s\src\TesApi.Web\AzureProxy.cs:line 248\n at TesApi.Web.BatchScheduler.AddBatchJobAsync(TesTask tesTask) in D:\a\1\s\src\TesApi.Web\BatchScheduler.cs:line 342"
]
TES container will tell you: " Error Details key=Reason value=The user identity used for this operation does not have the required privelege Microsoft.Network/virtualNetworks/subnets/join/action on the specified resource /subscriptions/XXXXX/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet"
Steps to Reproduce
Steps to reproduce the behavior:
./deploy-cromwell-on-azure-linux --SubscriptionId xxxxxxxxxxxxx
--RegionName southcentralus --MainIdentifierPrefix coa --ResourceGroupName genomics
--VnetResourceGroupName genomics --VnetName genomics-vnet
--VmSubnetName orchestration-subnet --BatchAccountName vncsagenobatch
--NetworkSecurityGroupName genomics-vnet-orchestration-subnet-nsg-southcentralus
--VmSize Standard_D4d_v4
--BatchNodesSubnetId /subscriptions/xxxxxxxx/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet
test workflow failed. Expected behavior
A clear and concise description of what you expected to happen.
Deployment should setup the right permission for the managed identity and it should be documented. Deployment details: (any information you can provide would be helpful):
OS: linux Ubuntu 18.04
Version 3.1.0
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
I gave the MI the network contributor RBAC because the Virtual Machine Contributor didn't fix the issue.
The text was updated successfully, but these errors were encountered:
Describe the bug
A clear and concise description of what the bug is.
If you deploy CoA with BatchNodesSubnetId, the managed Identity don't have permission to create NodePool on Vnet for azbatch nodes. Workflow will fail with "FailureReason": "UnknownError",
"SystemLogs": [
"Operation returned an invalid status code 'BadRequest'",
" at Microsoft.Azure.Batch.Protocol.BatchRequestBase
2.ExecuteRequestAsync()\n at Microsoft.Azure.Batch.ProtocolLayer.ProcessAndExecuteBatchRequest[TResponse](IBatchRequest
1 request, BehaviorManager bhMgr)\n at Microsoft.Azure.Batch.CloudJob.CommitAsync(IEnumerable`1 additionalBehaviors, CancellationToken cancellationToken)\n at TesApi.Web.AzureProxy.CreateBatchJobAsync(String jobId, CloudTask cloudTask, PoolInformation poolInformation) in D:\a\1\s\src\TesApi.Web\AzureProxy.cs:line 248\n at TesApi.Web.BatchScheduler.AddBatchJobAsync(TesTask tesTask) in D:\a\1\s\src\TesApi.Web\BatchScheduler.cs:line 342"]
TES container will tell you: " Error Details key=Reason value=The user identity used for this operation does not have the required privelege Microsoft.Network/virtualNetworks/subnets/join/action on the specified resource /subscriptions/XXXXX/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet"
Steps to Reproduce
Steps to reproduce the behavior:
./deploy-cromwell-on-azure-linux --SubscriptionId xxxxxxxxxxxxx
--RegionName southcentralus --MainIdentifierPrefix coa --ResourceGroupName genomics
--VnetResourceGroupName genomics --VnetName genomics-vnet
--VmSubnetName orchestration-subnet --BatchAccountName vncsagenobatch
--NetworkSecurityGroupName genomics-vnet-orchestration-subnet-nsg-southcentralus
--VmSize Standard_D4d_v4
--BatchNodesSubnetId /subscriptions/xxxxxxxx/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet
test workflow failed.
Expected behavior
A clear and concise description of what you expected to happen.
Deployment should setup the right permission for the managed identity and it should be documented.
Deployment details: (any information you can provide would be helpful):
Screenshots

If applicable, add screenshots to help explain your problem.
Additional context
I gave the MI the network contributor RBAC because the Virtual Machine Contributor didn't fix the issue.
The text was updated successfully, but these errors were encountered: