k8s-deploy icon indicating copy to clipboard operation
k8s-deploy copied to clipboard

Published 20 hours ago verified publisher icon Azure

Error: HttpError: Resource not accessible by integration

Open mme-htkw opened this issue 2 years ago • 8 comments

As our service principle token expired, we decided to use the OIDC authentication to deploy our application on azure.

So we changed the azure/login from:

- name: Login to Azure
  uses: azure/[email protected]
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

to

- name: Login to Azure
   uses: azure/[email protected]
   with:
     client-id: ${{ secrets.AZURE_CLIENT_ID }}
     tenant-id: ${{ secrets.AZURE_TENANT_ID }}
     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

The login works correct, as the other azure steps succeeded (docker push, create-secret, set-azure context) But the k8s-deploy fails on the 'Annotating resources' step with the error: HttpError: Resource not accessible by integration

Run Azure/[email protected]
Deploying manifests
Checking manifest stability
Printing ingresses
Annotating resources
  Error: HttpError: Resource not accessible by integration`

Do you have a hint, why it fails with the OIDC authentication?

mme-htkw avatar Aug 03 '22 08:08 mme-htkw

My guess is that this is actually an error with the permissions you are giving the workflow. Did the permissions you are granting the workflow change?

https://github.com/Azure/k8s-deploy/blob/531cfdcc3d41140ba29923fbcca51df1183e8610/src/strategyHelpers/deploymentHelper.ts#L143

https://github.com/Azure/k8s-deploy/blob/531cfdcc3d41140ba29923fbcca51df1183e8610/src/utilities/githubUtils.ts#L4

OliverMKing avatar Aug 03 '22 15:08 OliverMKing

I have added this permissions to the github workflow:

permissions:
  id-token: write
  contents: read

Is there anything more required fot the k8s-deploy?

mme-htkw avatar Aug 03 '22 15:08 mme-htkw

That looks right to me. It's not working with those permissions?

OliverMKing avatar Aug 03 '22 21:08 OliverMKing

No, its not working with this permissions.

Actually the substeps Deploying manifests, Checking manifest stability and Printing ingresses are successfull. It fails on the Annotating resources step. Does this step require some special permissions?

mme-htkw avatar Aug 04 '22 05:08 mme-htkw

We're also hitting this issue.

It works when granting full permissions to the token (not the most secure way):

permissions: write-all

It doesn't work with following:

permissions:
  id-token: write
  contents: read

nv35 avatar Aug 04 '22 13:08 nv35

Some permission permission seems to just be missing from

permissions:
  id-token: write
  contents: read

I don't know what other one we'd need. There hasn't been any recent changes that should impact this.

You can test with different permissions (in addition to the above ones) to methodically determine which one is missing.

OliverMKing avatar Aug 04 '22 20:08 OliverMKing

I have tested with different permissions and i found, that it requires read access to the actions.

permissions:
  id-token: write
  contents: read
  actions: read

So with this permissions it works.

mme-htkw avatar Aug 05 '22 08:08 mme-htkw

Will document this in the README.

OliverMKing avatar Aug 15 '22 17:08 OliverMKing

This issue is idle because it has been open for 14 days with no activity.

github-actions[bot] avatar Aug 29 '22 18:08 github-actions[bot]