Import-AzBluePrintwithartifact fails if no subscription is available in Az context

Question

Import-AzBluePrintwithartifact fails if no subscription is available in Az context

artisticcheese opened this issue 4 years ago · comments

Please see following issue opened since March 2020
Azure/azure-powershell#11245

In case Az context does not contain subscription this cmdlet will throw Import-AzBlueprintWithArtifact: Object reference not set to an instance of an object. upon attempt to upload blueprint.
This happens when service principal does not have direct Role Assignment on subscription level but have inherited assignment through management group. In this case Connect-AzAccount does not populate subscription info

Repro

Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant 65e4e06f-f263-4c1f-becb-90deb8c2d9ff

WARNING: The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( C:\Users\artis\.Azure ). Please ensure that this directory has appropriate protections.

Account                              SubscriptionName TenantId                             Environment
-------                              ---------------- --------                             -----------
eccf917e-14e5-4493-b2b7-808444e4e890                  65e4e06f-f263-4c1f-becb-90deb8c2d9ff AzureCloud

PS C:\repo\DSO\DSO\DSO> Import-AzBlueprintWithArtifact -Name $env:BPNAME -InputPath "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)$($env:BLUEPRINTLOCATION)" -Force -ManagementGroupID $env:MANAGEMENTGROUPID 

Import-AzBlueprintWithArtifact: Object reference not set to an instance of an object.

Alex Frankel · Answer 1 · Tue Dec 15 2020 00:25:44 GMT+0800 (China Standard Time)

Would you say the issue is with Connect-AzAccount or with Import-AzBlueprintWithArtifact?

GSA · Answer 2 · Tue Dec 15 2020 00:37:03 GMT+0800 (China Standard Time)

I would say issue with Import-AzBlueprintArtifact since if there are no subscriptions inside MG you still shall be able to deploy artifact to MG

GSA · Answer 3 · Tue Dec 15 2020 01:11:08 GMT+0800 (China Standard Time)

Do you know if -Whatif will ever be implemented properly for blueprints? I imagine that information shall be available if all ARM artifacts are rung with -Whatif on backplane.

Alex Frankel · Answer 4 · Tue Dec 15 2020 01:13:22 GMT+0800 (China Standard Time)

Given the planned migration from blueprints to templateSpecs and deployment stacks, we won't be implementing what-if for the current blueprint APIs. WhatIf already works for templateSpec-based deployments and it will also be supported for stacks.

Alex Frankel · Answer 5 · Tue Dec 15 2020 01:14:30 GMT+0800 (China Standard Time)

Is the SPN/context issue blocking? or is it possible to give limited access to a sub as a workaround? The reason I ask is because given the migration, this is a fix we'd like to avoid if possible.

GSA · Answer 6 · Tue Dec 15 2020 01:15:46 GMT+0800 (China Standard Time)

It's not blocking, just as you can see several people run into that. Proving IAM permissions is sufficient to workaround.