graphrag-accelerator icon indicating copy to clipboard operation
graphrag-accelerator copied to clipboard
verified publisher icon Azure-Samples

[BUG]Error assigning role to service principal, exiting...

Open SridharArrabelly opened this issue 1 year ago • 16 comments

Describe the bug I followed the steps as explained in the deployment guide. It appears the provisioning of services has been completed successfully. but the problem with assigning roles after.

To Reproduce Steps to reproduce the behavior:

  1. run bash deploy.sh -p deploy.parameters.json
  2. you will see the error as in the attached screenshot.

Screenshots Screenshot 2024-10-06 164042

Desktop (please complete the following information):

  • OS: Windows 11
  • Bicep: 0.30.23

Additional context Resource group and OpenAI are in the same subscription..

SridharArrabelly avatar Oct 06 '24 17:10 SridharArrabelly

@SridharArrabelly - can you verify that your user (or service principal executing the deployment) has the Role Based Access Control (RBAC) Administrator role assigned on your subscription?

I've found this is generally the issue, where this role is either not assigned or is limited in scope to particular resources.

timothymeyers avatar Oct 07 '24 18:10 timothymeyers

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

DOliana avatar Oct 08 '24 13:10 DOliana

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

Having the same error. Did you just run bash deploy.sh -p deploy.parameters.json again?

soon-nl avatar Oct 08 '24 17:10 soon-nl

@DOliana @soon-nl redploy/run again didn't work. @timothymeyers I can confirm that i have the Role Based Access Control (RBAC) Administrator role. please see attached.

Screenshot 2024-10-09 062044

SridharArrabelly avatar Oct 09 '24 04:10 SridharArrabelly

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

Having the same error. Did you just run bash deploy.sh -p deploy.parameters.json again?

yes exactly. rerunning it did the trick for me.

DOliana avatar Oct 21 '24 15:10 DOliana

@DOliana rerun didn't work for me either. Anything else I can do? I am the subscription owner but I still have given the RBAC admin permission to myself. I am also the subscription owner.

puneetpawaia avatar Dec 27 '24 12:12 puneetpawaia

running again for many times didn't work for me, I'm also directory and subscription admin.

btw, added some traces to the deployment script and the scope looks empty, might be the cause?

Deployment name: graphrag-deploy-2025-01-01_18-31-00
Assigning 'Cognitive Services OpenAI Contributor' role to managed identity... 
servicePrincipalId: a7ffbae6-bae6-4faf-b137-b80743fbf256
scope: 
 ________________________________
/  Uh oh, an error has occurred. \
\  Please see message below.     /
 ‾‾‾‾‾‾‾‾‾‾/‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
          /
      __ /
     /  \
    ~    ~
   / \  /_\
   \o/  \o/
    |    |
    ||   |/
    ||   ||
    ||   ||
    | \_/ |
    \     /
     \___/

Error assigning role to service principal, exiting...

guybartal avatar Jan 01 '25 18:01 guybartal

I've tried to manually assign role to this principal, and it worked and also solved my indexing issue:

image

guybartal avatar Jan 01 '25 18:01 guybartal

I've found the problem, if your OpenAI service is deployed into another subscription the scope empty, you need to pass the subscription id to the following line:

local scope=$(az cognitiveservices account list --subscription=$GRAPHRAG_API_SUBSCRIPTION --query "[?contains(properties.endpoint, '$GRAPHRAG_API_BASE')] | [0].id" -o tsv)

and introduce this new GRAPHRAG_API_SUBSCRIPTION key in deploy.parameters.json

guybartal avatar Jan 01 '25 21:01 guybartal

Hi @guybartal , my OpenAI service is in the same subscription but in a different resource group. Can you help me with adding the trace to print out servicePrincipalId as you have done so that I can add the role directly to the service. Or should I move the service to the same resource group?

puneetpawaia avatar Jan 02 '25 12:01 puneetpawaia

Did some more exploring and found that in my case AZURE_DEPLOY_RESULTS in the deployAzureResources function is coming out to be empty. For both a fresh run and for a rerun. Tested this with OpenAI service in different resource groups and in the same resource group.

puneetpawaia avatar Jan 03 '25 09:01 puneetpawaia

Hi @markmassad , can you check if AZURE_DEPLOY_RESULTS contains some value or if it is blank as it is for me? This is the same message I get.

puneetpawaia avatar Jan 04 '25 08:01 puneetpawaia

Hello @puneetpawaia, I didn't check that... but I see the error is in: az role assignment create --role 'Cognitive Services OpenAI Contributor' --assignee [SPObjectID] --scope '/subscriptions/[SUBID]/resourceGroups/openAI/providers/Microsoft.CognitiveServices/accounts/openai1a'

I tried several variations of that command and none of them added the role assignment. For whatever reason, I could ONLY add the assignment to the SP using the Portal. Go figure??? Maybe a bug in the Az fabric?

BTW: I deleted a comment as it was a side effect of this issue here on the role assignment creation and didn't want to muddy the water.

markmassad avatar Jan 04 '25 23:01 markmassad

Hi @markmassad , if I understand correctly, this code is in at line 422 in function assignAOAIRoleToManagedIdentity of deploy.sh Unfortunately, I don't get to this code in my case. I get the error while the deployment is processing main.bicep. My error comes from line 362 which is before assignAOAIRoleToManagedIdentity get called in line 366.

puneetpawaia avatar Jan 06 '25 12:01 puneetpawaia

Sure, I think I'll open a PR to fix this issue so others can benefit.

From: Puneet Pawaia @.> Sent: Monday, January 6, 2025 2:27:26 PM To: Azure-Samples/graphrag-accelerator @.> Cc: Comment @.***> Subject: Re: [Azure-Samples/graphrag-accelerator] [BUG]Error assigning role to service principal, exiting... (Issue #188)

Hi @markmassadhttps://github.com/markmassad , if I understand correctly, this code is in at line 422 in function assignAOAIRoleToManagedIdentity of deploy.sh Unfortunately, I don't get to this code in my case. I get the error while the deployment is processing main.bicep. My error comes from line 362 which is before assignAOAIRoleToManagedIdentity get called in line 366.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure-Samples/graphrag-accelerator/issues/188#issuecomment-2573011896 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAYIEYZU2DA6TERHZYL6ZGT2JJZC7BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI3DONBZGIZTQOBXGSSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJXG44DINJRHEYTBAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDENJWHA3TOOBRGAZYFJDUPFYGLJLMMFRGK3FFOZQWY5LFVI3DONBZGIZTQOBXGSTXI4TJM5TWK4VGMNZGKYLUMU. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

guybartal avatar Jan 06 '25 20:01 guybartal

@puneetpawaia, in case this PR doesn't help you, I suggest you share the error captured in the deployment from Azure Portal.

guybartal avatar Jan 07 '25 10:01 guybartal