-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
however the current tenant '***' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345 #1819
Comments
Hi lissff, AKS bot here 👋 I might be just a bot, but I'm told my suggestions are normally quite good, as such:
|
hi @lissff , yes we are aware of this change. You can still do updates to the VMSS, as long as the PUT request payload does not contain the SIG image reference (a PATCH instead of full PUT). That is how aad-pod-identity works today. And that's in general a good practice too to avoid overwritting properties from other clients. |
To @yangl900's point, which action were you trying to perform? |
i don't understand, below cmd also got the same error:
The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/*', however the current tenant '**' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'. |
I am getting the same error when I try to add AKS VMSS in the Application Gateway backend pool - |
Have the same issue when I try to enable boot diagnostics on AKS nodes via:
|
I have the same issue when I try to attach a disk to the AKS node VM: AZURE_CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group $AZURE_RESOURCE_GROUP_NAME --name $AZURE_CLUSTER_NAME --query nodeResourceGroup -o tsv)
AZURE_CLUSTER_VM_NAME=$(az vm list --resource-group $AZURE_CLUSTER_RESOURCE_GROUP -o tsv --query '[0].name')
az vm disk attach \
-g $AZURE_CLUSTER_RESOURCE_GROUP \
--vm-name $AZURE_CLUSTER_VM_NAME \
--name $AZURE_DISK_NAME
|
Ran into this in production. We are accessing the scale-sets created by AKS in the node-resource group to attach disks to each VM instance programmatically. Any workarounds? |
Hi @amadav , I'm looking into this. Could you share how you attach disks? I'm aware Azure CLI will hit this issue because it does a full property PUT on VM. I'm working with the CLI owner to figure out a solution. if you are calling the API directly, the fix would be drop the "osProfile.storageProfile" property completely from request body. |
@whuchenlei that command is deprecated and will be removed from the docs soon, please use something like https://github.com/kvaps/kubectl-node-shell as we work to provide a similarly integrated experience in CLI and portal. @amadav, @r-b-g-b, @erplsf while we work on that. Just making sure you are aware that those are unsupported operations? |
Want to give an update on the disk attach / detach workaround: For now you can use az resource update --ids /subscriptions/xxxx/resourceGroups/MC_xxx/providers/Microsoft.Compute/virtualMachineScaleSets/aks-agentpool-xxxx-vmss/virtualmachines/0 --add properties.storageProfile.dataDisks "{\"lun\": 0, \"createOption\": \"Attach\", \"managedDisk\": { \"id\": \"/subscriptions/xxxx/resourcegroups/MC_xxx/providers/Microsoft.Compute/disks/testdisk\" } }" --remove properties.storageProfile.imageReference |
Thanks for the quick comments @yangl900 and @palma21 and the support. I understand that changing resources in infrastructure resource group is not supported, but it has been a requirement for us from IT and customers alike. One such scenario is: Regarding disk attachments, we have requirement to attach more disks for HostPath volume based on node metrics of disk usage since we have applications using HostPath for persistent storage and making the move to use PVC may require more cycles. Is it possible to do the same (as mentioned with az-cli) via java sdk? We already have a dependency on azure sdk 1.27.2 and would prefer if we can continue to keep using that for the said purpose. |
hi @amadav , AKS now support propagating tags into VMSS, hope that makes your management tasks easier :) See doc: https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#setting-nodepool-azure-tags You can achieve the same in java SDK, if you are going to update VMSS, before you make CreateOrUpdate() request, set the |
Thanks for the pointers @yangl900 . I tried setting
but sdk version bundled, throws an NPE here. I believe it requires the storage-profile populated and there seems to be no direct way to set it to null just before VirtualMachineScaleSetImpl.updateResourceAsync() |
How about Portworx users? any workaround @yangl900 |
@palma21 if I can do it through the UI now, why I can't do it via the CLI interface? (setting boot diagnostics for AKS VMs). They are still VMs, and should have the same capabilities as other VMs. |
@lissff sorry for the inconvenience, we are working with Portworx too. A new version 2.5.7 will mitigate the issue. It should be released this week. @erplsf yes, CLI should work too, it's an issue in CLI that we are working on a fix. They are still VMs but a little bit special in the OS disk image, since the image is managed by AKS service. |
@erplsf yes to the comment I made on the un-supported nature of those operations. It's the same for portal or cli. They should work, as Anders mentions, but any IaaS direct operation is not supported by the managed service policy. You can only interact with AKS and k8s APIs (or AKS Portal/CLI) to interact with the cluster resources. |
I encountered the same error message while trying to update a key for SSH access to the nodesas per Microsoft doc https://docs.microsoft.com/nl-nl/azure/aks/ssh az vmss extension set Is there any alternative for this as well? |
try this |
Thanks I already found a way in with |
I have this issue,.
Had the following response from MS FYI: ISSUE "imageReference": { When client like CLI making a PUT request to VMSS to perform an update, the request body cannot contain imageReference property, otherwise it will be treat as an update and triggers ARM linked access check to ensure user has permission on the SIG resource. Apparently no user would have that access, thus the failure. NOTE: Only new node pools / clusters will be using SIG, existing clusters won't be upgraded automatically. |
@leesutcliffe Please use Pod Identity version 1.6 and above that has that issue fixed. |
@palma21 Thanks for the advice, worked perfectly |
Also running into the same issue following the below documentation. az vmss extension set Any updates on the CLI fix @yangl900 or atleast a work around so i can SSH onto the node? |
@yangl900 Can you share the release plan or release note here? |
@markpenner34 You can enter into a node using something like: https://github.com/kvaps/kubectl-node-shell We will be providing a similar experience to avoid interacting with that command. The fix for that command was merged in the CLI and will be in the next core CLI release train. @lissff Portworx already shipped a fix for versions above 2.5.7, you should be able to use that. |
@palma21 is the change gonna shown in AKS's release note? |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
3 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
@lissff If you were having issue when using AZ CLI to update the VMSS, the issue should be resolved now by CLI team. Please update to the latest CLI version. |
Thanks for reaching out. I'm closing this issue as it was marked with "Fix released" and it hasn't had activity for 7 days. |
I ran into an issue using kubectl node shell, and opened up a bug in that repo. |
What happened:
Starting from 2020-08-22:
AKS uses shared image gallery(https://docs.microsoft.com/en-us/azure/virtual-machines/windows/shared-image-galleries) for some new clusters which means the image reference in the vmss is "/subscriptions/109a5e88-712a-48ae-9078-9ca8b3c81345/resourceGroups/AKS-Ubuntu/providers/Microsoft.Compute/galleries/AKSUbuntu/images/1604/versions/2020.08.13", if user performs any write operation on the vmss, it will be denied since the user/tenant doesn't have access to the aks image sub.
The error message looks like:
"however the current tenant ''
is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'.""*
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
cluster created after 2020-8-22 that using 3rd party storage, e.g. portworx as the storage option
Anything else we need to know?:
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: