Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating or updating an assignment using REST API #58

Open
RuthvikRaviKumar opened this issue Apr 29, 2021 · 3 comments
Open

Creating or updating an assignment using REST API #58

RuthvikRaviKumar opened this issue Apr 29, 2021 · 3 comments

Comments

@RuthvikRaviKumar
Copy link

I get this error when I try to assign the blueprint to a subscription using REST API

There were error(s) encountered during the deployment:
Exceeded maximum wait time of '00:05:00'. Message: 'Either the Azure Blueprints service principal does not have owner permissions on the target subscription, or the system-assigned managed identity has not yet finished replicating.'.

I am certain that the issue is not coming because of service principal, as it is getting succeeded when I assign an empty blueprint to a subscription. Only when I try assigning a blueprint with artifacts, I get this issue. Also, this issue occurs like 50 % of the times.
@alex-frankel
Copy link
Contributor

Would it be possible for you to open a support case to get this resolved? I suspect we will need to do some digging on our side to find out what is happening and support will be able to help you get all the details we need to investigate.

@raeder1986
Copy link

Seems that problem is still relevant - got the same deploying Blueprint using Azure Cli (updating existing assignment). Solved manually granting owner rights to Azure Blueprints SP:

  • get Azure Blueprints SP Id
    az ad sp show --id f71766dc-90d9-4b7d-bd9d-4499c4331c3f --query "id"
  • get your subscription id (choose needed from list)
    az account list --query "[].{name:name, id:id}" --output tsv
  • grant owner permissions
    az role assignment create --assignee "_Blueprints_SP_Id_" --role "Owner" --subscription "_Subscription_Id_"
    After procedure I made assignment update from Azure Cli work again.

@coolhome
Copy link

coolhome commented Jun 9, 2023
edited
Loading

I had this issue as well, I think the azure deployment error should have a link here.

https://learn.microsoft.com/en-us/azure/governance/blueprints/overview

If using a system-assigned managed identity, the service principal for Azure Blueprints requires the Owner role on the assigned subscription in order to enable deployment. If using the portal, this role is automatically granted and revoked for the deployment. If using the REST API, this role must be manually granted, but is still automatically revoked after the deployment completes. If using a user-assigned managed identity, only the user creating the blueprint assignment needs the Microsoft.Blueprint/blueprintAssignments/write permission, which is included in both the Owner and Blueprint Operator built-in roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@coolhome @alex-frankel @raeder1986 @RuthvikRaviKumar