Provisioning with a Service Principal.

[jws-m-gotoh]

Please provide us with the following information:

I provisioned with a service principal because my environment does not allow browser authentication. I changed main.bicep because of some errors, is there a problem with this change? Search form the app seems to work. Thanks in advance.

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Created the service principal.

az ad sp create-for-rbac --name DemoServicePrincipalOwner \  
  --role Owner \  
  --scopes /subscriptions/<mysubscription_id>

login

azd auth login --client-id $APP_ID --tenant-id $TENANT_ID --client-secret $PASSWORD

provision

azd provision

  (✓) Done: Resource group: xxxxx
  (✓) Done: Storage account: xxxxx
  (✓) Done: Search service: xxxxx
  (✓) Done: App Service plan: xxxxx
  (✓) Done: Azure OpenAI: xxxxx
  (✓) Done: Form recognizer: xxxxx
  (✓) Done: App Service: xxxxx

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details:
UnmatchedPrincipalType: The PrincipalId 'xxxxx' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'.

Changed main.bicep as follows:

module storageRoleUser 'core/security/role.bicep' = {
  scope: storageResourceGroup
  name: 'storage-role-user'
  params: {
    principalId: principalId
    roleDefinitionId: 'xxxxx'
    // principalType: 'User'
    principalType: 'ServicePrincipal'
  }
}

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?) Ubuntu 20.04

azd version?

run azd version and copy paste here. azd version 1.4.5

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[jongio]

@pamelafox - Prob good idea to add a param to main.bicep that allows people to specify principalId type

[pamelafox]

Yep, seems like a good idea, AZD_USER_TYPE or some such? I assume we can't detect it programmatically from the principalId.

[jongio]

AZURE_PRINCIPAL_TYPE

[diberry]

@pamelafox @jongio Is this limited to this repo or is there a broader AZD issue that needs to be addressed?

[pamelafox]

I think this particular issue can be resolved within this repo, though I haven't given it a go myself to be 100% certain.

[LianwMS]

Any solution for the issue? I run azd up in github workflow meet the same issue. Any solution instead of change the main.bicep? and Why it's different from run azd up in local?

[abbottdev]

I'm also still hitting this. Its different from azd up in local as locally you're running with a browser auth flow - so you get a user record type when synthesizing locally - but if you're running in the cloud - you'll be using a clientId/secret which is a service principal. There is 100% a problem here in that, azd should be detecting the credential type and the infra should be synthed based on the current authentication type.