Skip to content

Race Condition Issue with User Assigned Managed Identity's PrincipalId and SqlResourceSqlRoleAssignment #2816

New issue
New issue
Open
Open
Race Condition Issue with User Assigned Managed Identity's PrincipalId and SqlResourceSqlRoleAssignment#2816

Description

@zbuchheit

zbuchheit
openedon Oct 11, 2023

What happened?

When using a User Assigned Managed Identity and attempting to use SqlResourceSqlRoleAssignment for Cosmos DB to give RBAC permissions, occasionally it will error out the following error.

error: resource partially created but read failed autorest/azure: Service returned an error. Status=404 Code="NotFound" Message="Unable to find a SQL Role Assignment with ID [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX].\r\nActivityId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, Microsoft.Azure.Documents.Common/2.14.0": Code="BadRequest" Message="The provided principal ID [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] was not found in the AAD tenant(s) [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] which are associated with the customer's subscription.\r\nActivityId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0"

Subsequent runs will succeed in creating a SqlResourceSqlRoleAssignment.

Example

   var userAssignedIdentity = new ManagedIdentity.UserAssignedIdentity("user-assigned-identity", new ManagedIdentity.UserAssignedIdentityArgs 
    { 
        ResourceGroupName = resourceGroupName 
    }).PrincipalId;
    
        var sqlResourceSqlRoleAssignment = new SqlResourceSqlRoleAssignment($"sql-resource-sql-role-assignment", new SqlResourceSqlRoleAssignmentArgs
    {
        AccountName = cosmosAccount.Apply(account => account.Name),
        PrincipalId = userAssignedIdentity,
        ResourceGroupName = resourceGroupName,
        RoleAssignmentId = new Pulumi.Random.RandomUuid("testRandomUuid").Result,
        RoleDefinitionId = cosmosDBDataContributorRoleDefinition,
        Scope = cosmosAccount.Apply(account => account.Id),
    });

Example Repo with Referenced Code Above

Output of pulumi about

CLI
Version 3.79.0
Go Version go1.21.0
Go Compiler gc

Plugins
NAME VERSION
azure-native 2.10.0
azuread 5.42.0
dotnet unknown
random 4.14.0

Host
OS darwin
Version 13.6
Arch arm64

Dotnet 7

Additional context

This could be an issue on the Microsoft side. When I create a normal role assignment, it performs a PUT against RoleAssignment and responds with a 201 Created immediately. When I attempt to create a SqlResourceSqlRoleAssignment, it responds 202 Accepted and has a status of "Enqueued" and eventually fails after several GET requests to check the status of the resource.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    blockedThe issue cannot be resolved without 3rd party action.customer/feedbackFeedback from customersimpact/reliabilitySomething that feels unreliable or flakykind/bugSome behavior is incorrect or out of specupstream/service

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions