[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines - Permissions issue when scoped to resource group. #1311
Comments
|
I am having the same issue when trying to use Policy to apply a user-assigned managed identity to [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines. I have been working on this with Microsoft, and they have now escalated it to their Identity team. I believe it is a permissions issue, but cannot seem to figure out which permissions need applied to the user-assigned managed identity for it to be able to be added to all of my virtual machines. Here is the error I'm receiving: Identity operation for resource '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-vmblah/providers/Microsoft.Compute/virtualMachines/vmblah' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx//resourcegroups/rg-vmblahuserAssignedMIs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AMA-vmblahMI' was not found."}}'.'.Failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx//resourcegroups/rg-vmblahuserAssignedMIs/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AMA-vmblahMI' was not found."}}'.'. I'm curious if you or anyone else have found a solution for this yet? |
I have since moved away from trying to use the built-in policy identity because it does not work (as detailed in my original message above). Instead I changed to using the BYO user assigned managed identity instead. I've created a global-policy-deployment umi in a UMI resource group. And added this to the policy I was deploying. I then ran into another problem with the policy definition itself.
What I had to do to overcome this was to create a copy of the policy, remove the role definition ids, and add them to the umi as part of the umi creation. We are using Terraform to create both the policy and the umi so this was easily done. Whilst I found a work around in this instance it does show the the intended - multifunctional built-in policies are not quite working as intended with either the built-in role or the BYO (global) user assigned identity. Again the documentation specifically suggests using a user assigned managed identity to reduce the number or system assigned identities being created in Entra. |
ISSUE TITLE:
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines - Permissions issue when scoped to resource group.
ISSUE DESCRIPTION:
Trying to apply one of the built in policies to add built-in user managed identity to a VM fails on remediation with the following error:
Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/subscriptions//resourceGroups/zzz-phill-test/providers/Microsoft.Authorization/policyAssignments/' resource identity does not have the necessary permissions to create deployment '/subscriptions/***/providers/Microsoft.Resources/deployments/PolicyDeployment***'. Please see https://aka.ms/arm-policy-identity for usage details._
Details of the scenario you tried and the problem that is occurring
I was testing policies on a subset of machines by scoping the policy to a resource group containing my test machines. Every time the remediation task ran it failed with the above error. I tried this in more than one tenancy with the same result. I spoke with MS support and they were also not sure what the problem was but through something they said I wondered if the problem lay with the scoping of the policy to the resource group. The policy in question gives the option to set BringYourOwnUMI to false and to set the remediation identity to system assigned. In doing this there should be no more configuration necessary.
When selecting the options above the policy docs say the policy engine will create a built-in resource group and a built-in umi to be applied to the VM but these two resources are under the root of the subscription but the system assigned identity the policy remediation is running as is scoped to the resource group with my VMs in. This means the system assigned identity does not have sufficient permissions at the subscription level to deploy the other resources it needs and then fails as a result.
I tried scoping the policy at the subscription level and everything worked as expected but this precludes the policy being run - out of the box- on a subset of resources in a resource group.
I also think this applies to other built-in policies which use the same mechanism.
Verbose logs showing the problem
No logs only the error mentioned above
Suggested solution to the issue
Either the documentation needs to be updated to reflect that the policy can not be scoped below the subscription level when ran with the options above - or the policy needs to be changed in some way to allow it to be scoped to a resource group whilst giving the system assigned identity it runs as enough permissions to create the built in resource group and built in managed identity at the subscription level.
If policy is Guest Configuration - details about target node
The text was updated successfully, but these errors were encountered: