inherited ownership of azure subscription from parent management group is not recognized
daryltanwk opened this issue · comments
Bug Report
Reported Behavior
When attempting to run rover plan for launchpad subscription, an error is displayed:
No launchpad found.
Deploying from scratch the launchpad
@calling initialize_state
Checking required permissions
@Checking if current user (object_id: ) is Owner of the subscription - only for launchpad
WARNING: The underlying Active Directory Graph API will be replaced by Microsoft Graph API in a future version of Azure CLI. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
Error on or near line 309: the current account must have Owner privilege on the subscription to deploy launchpad.; exiting with status 2
Expected Behavior
rover command should successfully execute
Reproduction
Steps to reproduce or witness the behavior:
- Create Management Group, set ownership to User
- Place a subscription inside the MG.
- Attempt deployment of launchpad via rover
- See error
- Explicitly set User as the Owner of the subscription object
- Attempt deployment with no other changes
- Command executes successfully
Suggestions
Do you have any suggestions how to address this bug?
Modify permission validation checks from rover to also allow inherited ownership from parent management groups
The api we are using is not giving the effective permission to the subscription when it's been assigned to the management group.
From now I suggest you add the following tag in your rover command to skip the verification step
--skip-permission-check
closing as answer provided
Given that --skip-permission-check
is currently only checked as a launchpad, doesn't it make sense to have this check by default in shell scripts as well?