Description
openedon Oct 11, 2023
What happened?
When using a User Assigned Managed Identity and attempting to use SqlResourceSqlRoleAssignment for Cosmos DB to give RBAC permissions, occasionally it will error out the following error.
error: resource partially created but read failed autorest/azure: Service returned an error. Status=404 Code="NotFound" Message="Unable to find a SQL Role Assignment with ID [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX].\r\nActivityId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, Microsoft.Azure.Documents.Common/2.14.0": Code="BadRequest" Message="The provided principal ID [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] was not found in the AAD tenant(s) [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] which are associated with the customer's subscription.\r\nActivityId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0"
Subsequent runs will succeed in creating a SqlResourceSqlRoleAssignment.
Example
var userAssignedIdentity = new ManagedIdentity.UserAssignedIdentity("user-assigned-identity", new ManagedIdentity.UserAssignedIdentityArgs
{
ResourceGroupName = resourceGroupName
}).PrincipalId;
var sqlResourceSqlRoleAssignment = new SqlResourceSqlRoleAssignment($"sql-resource-sql-role-assignment", new SqlResourceSqlRoleAssignmentArgs
{
AccountName = cosmosAccount.Apply(account => account.Name),
PrincipalId = userAssignedIdentity,
ResourceGroupName = resourceGroupName,
RoleAssignmentId = new Pulumi.Random.RandomUuid("testRandomUuid").Result,
RoleDefinitionId = cosmosDBDataContributorRoleDefinition,
Scope = cosmosAccount.Apply(account => account.Id),
});
Example Repo with Referenced Code Above
Output of pulumi about
CLI
Version 3.79.0
Go Version go1.21.0
Go Compiler gc
Plugins
NAME VERSION
azure-native 2.10.0
azuread 5.42.0
dotnet unknown
random 4.14.0
Host
OS darwin
Version 13.6
Arch arm64
Dotnet 7
Additional context
This could be an issue on the Microsoft side. When I create a normal role assignment, it performs a PUT against RoleAssignment and responds with a 201 Created immediately. When I attempt to create a SqlResourceSqlRoleAssignment, it responds 202 Accepted and has a status of "Enqueued" and eventually fails after several GET requests to check the status of the resource.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).