0

I'm attempting for the first time to create an ARM template using Azure and github actions. I followed all the steps to create a service principal and assign github contributor role.

I created my first template with the goal of login into azure (which worked) and creating a storage account which failed because do to an Authorization failed error. This is the warning I get:

Warning: ERROR: "code": "AuthorizationFailed", "message": "The client '3b1f7136-28ea-48bf-8cde-9417317fa987' with object id '3b1f7136-28ea-48bf-8cde-9417317fa987' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/' or the scope is invalid. If access was recently granted, please refresh your credentials."***

The reason why is failing is obvious however, what is not obvious is out to fix it. The Github role is currently being assigned to a resource group; does it need to be assigned to the subscription as well? If yes, how do I assigned to subcription level?

Tried to figure how a way to assign the role to subscription

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Fred
  • 11
  • 2
  • This was super helpful thank you so much. Also, is it possible to deploy resource groups using GitHub actions? Here's syntax I'm using name: Deploy Resource Group rg-githubactions uses: azure/arm-deploy@v1 with: scope: subscription subscriptionId: ${{ secrets.AZURE_CREDENTIALS }} region: uksouth resourceGroupName: rg-githubActions template: ./arm-template/resourcegroup.json deploymentName: rg-githubactions – Fred Apr 08 '23 at 09:05
  • You can directly create a resource group while generating your secrets and reference it in your YML script as mentioned in this document:- https://learn.microsoft.com/en-us/training/modules/deploy-templates-command-line-github-actions/7-exercise-github-actions [Create the service principal section] and if you want to create a resource group in your ARM template itself, Refer the answers in this SO link- https://stackoverflow.com/questions/47670797/azure-arm-template-create-resource-group – SiddheshDesai Apr 10 '23 at 04:41

1 Answers1

0

I deployed Azure Storage account with Service Principal and Github actions like below:-

My git repo:-

enter image description here

I used below command from this link - Deploy Resource Manager templates by using GitHub Actions - Azure Resource Manager | Microsoft Learn to create a service principal with RBAC Contributor role assigned at the Subscription level :-

Command:-

az ad sp create-for-rbac --name "myML" --role contributor
--scopes /subscriptions/
--sdk-auth

Output:-

enter image description here

enter image description here

Copied the json output in my Github Actions Secrets like below:-

enter image description here

I used the below ARM Template to create a Storage account:-

azuredeploy.json

"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",   "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.13.1.58284",
      "templateHash": "13120038605368246703"
    }   },   "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Premium_LRS",
        "Premium_ZRS",
        "Standard_GRS",
        "Standard_GZRS",
        "Standard_LRS",
        "Standard_RAGRS",
        "Standard_RAGZRS",
        "Standard_ZRS"
      ],
      "metadata": {
        "description": "Storage Account type"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The storage account location."
      }
    },
    "storageAccountName": {
      "type": "string",
      "defaultValue": "[format('store{0}', uniqueString(resourceGroup().id))]",
      "metadata": {
        "description": "The name of the storage account"
      }
    }   },   "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "StorageV2",
      "properties": {}
    }   ],   "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[parameters('storageAccountName')]"
    },
    "storageAccountId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
    }   } }

Above code Reference:-

https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json

My YML Script for github action :-

Replace the Resource group name with the existing Resource group where you want to create your storage account in.

main.yml

on: [push]
name: Azure ARM
jobs:
    build-and-deploy:
      runs-on: ubuntu-latest
      steps:

        # Checkout code
      - uses: actions/checkout@main

        # Log into Azure
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

        # Deploy ARM template
      - name: Deploy ARM template
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
          resourceGroupName: siliconrg
          template: ./azuredeploy.json
          parameters: storageAccountType=Standard_LRS

        # output containerName variable from template
      - run: echo ${{ steps.deploy.outputs.containerName }}

The Github action ran successfully like below:-

enter image description here

And storage account got created in Azure Portal:-

enter image description here

References:-

Exercise - Deploy ARM templates as part of your CI/CD efforts with GitHub Actions - Training | Microsoft Learn

SiddheshDesai
  • 3,668
  • 1
  • 2
  • 11