Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed identity permissions for Vnet with BatchNodesSubnetId #450

Closed
javierromancsa opened this issue Aug 5, 2022 · 3 comments · Fixed by #588
Closed

Managed identity permissions for Vnet with BatchNodesSubnetId #450

javierromancsa opened this issue Aug 5, 2022 · 3 comments · Fixed by #588
Labels
Bug Something isn't working
Milestone

Comments

@javierromancsa
Copy link
Contributor

Describe the bug
A clear and concise description of what the bug is.
If you deploy CoA with BatchNodesSubnetId, the managed Identity don't have permission to create NodePool on Vnet for azbatch nodes. Workflow will fail with "FailureReason": "UnknownError",
"SystemLogs": [
"Operation returned an invalid status code 'BadRequest'",
" at Microsoft.Azure.Batch.Protocol.BatchRequestBase2.ExecuteRequestAsync()\n at Microsoft.Azure.Batch.ProtocolLayer.ProcessAndExecuteBatchRequest[TResponse](IBatchRequest1 request, BehaviorManager bhMgr)\n at Microsoft.Azure.Batch.CloudJob.CommitAsync(IEnumerable`1 additionalBehaviors, CancellationToken cancellationToken)\n at TesApi.Web.AzureProxy.CreateBatchJobAsync(String jobId, CloudTask cloudTask, PoolInformation poolInformation) in D:\a\1\s\src\TesApi.Web\AzureProxy.cs:line 248\n at TesApi.Web.BatchScheduler.AddBatchJobAsync(TesTask tesTask) in D:\a\1\s\src\TesApi.Web\BatchScheduler.cs:line 342"
]
TES container will tell you: " Error Details key=Reason value=The user identity used for this operation does not have the required privelege Microsoft.Network/virtualNetworks/subnets/join/action on the specified resource /subscriptions/XXXXX/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet"

Steps to Reproduce
Steps to reproduce the behavior:
./deploy-cromwell-on-azure-linux --SubscriptionId xxxxxxxxxxxxx
--RegionName southcentralus --MainIdentifierPrefix coa --ResourceGroupName genomics
--VnetResourceGroupName genomics --VnetName genomics-vnet
--VmSubnetName orchestration-subnet --BatchAccountName vncsagenobatch
--NetworkSecurityGroupName genomics-vnet-orchestration-subnet-nsg-southcentralus
--VmSize Standard_D4d_v4
--BatchNodesSubnetId /subscriptions/xxxxxxxx/resourceGroups/genomics/providers/Microsoft.Network/virtualNetworks/genomics-vnet/subnets/azbatch-subnet

test workflow failed.
Expected behavior
A clear and concise description of what you expected to happen.
Deployment should setup the right permission for the managed identity and it should be documented.
Deployment details: (any information you can provide would be helpful):

  • OS: linux Ubuntu 18.04
  • Version 3.1.0

Screenshots
If applicable, add screenshots to help explain your problem.
image

Additional context
I gave the MI the network contributor RBAC because the Virtual Machine Contributor didn't fix the issue.

@javierromancsa javierromancsa added the Bug Something isn't working label Aug 5, 2022
@olesya13 olesya13 assigned olesya13 and BMurri and unassigned olesya13 Aug 5, 2022
@olesya13 olesya13 added this to the next milestone Aug 5, 2022
@vsmalladi
Copy link
Contributor

If you add MI the network contributor RBAC at the Resource Group it fixes this issues

@BMurri
Copy link
Contributor

BMurri commented Apr 21, 2023

Needs to be added to the deployer when private networking is enabled

@BMurri BMurri removed their assignment Apr 21, 2023
@vsmalladi
Copy link
Contributor

@BMurri, @jsaun added it in his pr #588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants