Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code: InvalidTemplateDeployment #1248

Open
clifpi opened this issue Jan 15, 2025 · 4 comments
Open

Code: InvalidTemplateDeployment #1248

clifpi opened this issue Jan 15, 2025 · 4 comments
Labels
Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity Resolution: External Issue is external to the FinOps toolkit Tool: FinOps hubs Data pipeline solution
Milestone
2025-03 - March

Comments

@clifpi
Copy link

clifpi commented Jan 15, 2025

Hello,
I have owner access to a subscription and trying to deploy a hub and constant receive the following:
{
"code": "DeploymentFailed",
"target": "/subscriptions/829/resourceGroups/rg-s/providers/Microsoft.Resources/deployments/hub",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'Authorization failed for template resource 'a6' of type 'Microsoft.Authorization/roleAssignments'. The client 'admin-hub' with object id '9' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/82/resourceGroups/rg-dev/providers/Microsoft.Storage/storageAccounts/finopshub1envr6qrsubjru/providers/Microsoft.Authorization/roleAssignments/a60'.'."
}
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Triage 🔍 Untriaged issue needs to be reviewed label Jan 15, 2025
@clifpi
Copy link
Author

clifpi commented Jan 22, 2025

Any thoughts here? I am trying to also connect after this error and get "Access to resources is forbidden" when I try to use the SAS token.

@clifpi
Copy link
Author

clifpi commented Jan 22, 2025

Image

@flanakin
Copy link
Collaborator

flanakin commented Feb 2, 2025

@clifpi I can't explain the deployment failure. I would recommend filing a support request against ARM for that one. We would need their help to investigate. I also can't explain the "a9" resource name or "6" object ID reference. Those generally aren't valid and wouldn't come from us as far as I'm aware. Was the template customized in any way?

For the SAS token, my first guess would be that the token doesn't have the right level of access. Can you review these instructions to make sure it's configured correctly?

https://learn.microsoft.com/cloud-computing/finops/toolkit/power-bi/setup#use-a-sas-token-to-connect-data-to-a-report

#needsinfo

@flanakin flanakin added Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity Tool: FinOps hubs Data pipeline solution Resolution: External Issue is external to the FinOps toolkit and removed Needs: Triage 🔍 Untriaged issue needs to be reviewed labels Feb 2, 2025
@flanakin flanakin added this to the 2025-02 - February milestone Feb 2, 2025
@philipstreet
Copy link

philipstreet commented Feb 6, 2025
edited
Loading

I am having the same issue using the "Deploy to Azure" link to deploy a "FinOps Hub".

I think the error relates to the role assignments on the "finopshub..." Storage Account. The template contains the following code;

"blobUploadRbacRoles": [
    "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
    "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
    "69566ab7-960f-475b-8e7c-b3118f30c6bd"
]
.
.
.
{
    "copy": {
        "name": "identityRoleAssignments",
        "count": "[length(variables('blobUploadRbacRoles'))]"
    },
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2022-04-01",
    "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), variables('blobUploadRbacRoles')[copyIndex()], resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}_blobManager', variables('storageAccountName'))))]",
    "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('blobUploadRbacRoles')[copyIndex()])]",
        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}_blobManager', variables('storageAccountName'))), '2023-01-31').principalId]",
        "principalType": "ServicePrincipal"
    },
    "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}_blobManager', variables('storageAccountName')))]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
    ]
},

The RBAC roles are:

  • ba92f5b4-2d11-453d-a403-e96b0029c9fe : Storage Blob Data Contributor
  • e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 : Managed Identity Contributor
  • 69566ab7-960f-475b-8e7c-b3118f30c6bd : Storage File Data Privilege Contributor

I can apply the 1st & 3rd roles in the Portal, but I am not able to apply the 2nd one. Could this be the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity Resolution: External Issue is external to the FinOps toolkit Tool: FinOps hubs Data pipeline solution
Projects
None yet
Milestone
2025-03 - March
Development

No branches or pull requests
3 participants
@flanakin @philipstreet @clifpi