Azure DevOps pipeline error: Tenant ID, application ID, principal ID, and scope are not allowed to be updated

3
votes

I try to create SQL Server with ARM on Azure DevOps. Pipeline successfully create SQL Server resource to Azure Portal, but I'm getting strange errors in Azure DevOps. Why this occurs and how to fix?

ERROR:

There were errors in your deployment. Error code: DeploymentFailed.
##[error]RoleAssignmentUpdateNotPermitted: Tenant ID, application ID, principal ID, and scope are not 
allowed to be updated.
##[error]Check out the troubleshooting guide to see if your issue is addressed: 
https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment? 
view=azure-devops#troubleshooting
##[error]Task failed while creating or updating the template deployment.

YML:

task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    azureResourceManagerConnection: 'TestRG-Conn'
    subscriptionId: '1111753a-501e-4e46-9aff-6120ed561111'
    action: 'Create Or Update Resource Group'
    resourceGroupName: 'TestRG'
    location: 'North Europe'
    templateLocation: 'Linked artifact'
    csmFile: '$(System.DefaultWorkingDirectory)/CreateSQLServer/azuredeploy.json'
   csmParametersFile: 
'$(System.DefaultWorkingDirectory)/CreateSQLServer/azuredeploy.parameters.json'
    deploymentMode: 'Incremental'

VARIABLE IN TEMPLATE:

"variables": {
"StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '111111111111111111111-')]"

},

RESOURCE IN TEMPLATE:

"resources": [
        {
         "condition": "[parameters('enableADS')]",
         "type": 
"Microsoft.Storage/storageAccounts/providers/roleAssignments",
          "apiVersion": "2018-09-01-preview",
          "name": "[concat(variables('storageName'), 
'/Microsoft.Authorization/', variables('uniqueRoleGuid') )]",
           "dependsOn": [
             "[resourceId('Microsoft.Sql/servers', 
 parameters('serverName'))]",
             "[resourceId('Microsoft.Storage/storageAccounts', 
 variables('storageName'))]"
          ],
           "properties": {
            "roleDefinitionId": "[variables('StorageBlobContributor')]",
             "principalId": "[reference(resourceId('Microsoft.Sql/servers', 
 parameters('serverName')), '2018-06-01-preview', 
  'Full').identity.principalId]",
             "scope": "[resourceId('Microsoft.Storage/storageAccounts', 
 variables('storageName'))]",
             "principalType": "ServicePrincipal"
           }
         }
2
azure-devops
can you share your template and parameters file? you are clearly attempting to update read-only properties on the sql server4c74356b41
I wonder if problem is in ""StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '111111111111111111111-')]".. What is this ID that I should use? Does Service Principal need permission to AD?Kenny_I
no, what its saying - is this role assignmend already exists and you are trying to update it, change its name, i think that should help4c74356b41
Hi Kenny_I,any update on this ticket. Did you get a chance to implement the solution that 4c74356b41 suggested? Were you able to resolve?PatrickLu-MSFT

2 Answers

7
votes

Chances are you have deployed and deleted the resources, however, the role assignment is still there and that is what it is clashing with (what 4c7... is saying). So, go check the permissions on the storage account - if you use managed identities, that identity will be deleted but the role assignment will persists and show the user as 'unknown' which will also cause the above error when trying to deploy again - had the same issue but with a managed identity I was using for an aks cluster. Frustrating.

When you deleted a managed identity it does not delete associated roles created for it, I wish it cleaned up properly.

0
votes

In my case, it was the name of the RoleAssignment. It was unique on the Resource Group level but not on the subscription level. Not sure what is the scope for the uniqueness of the name.