Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az vnet peering create no longer works cross-tenant #16691

Closed
mvzink opened this issue Jan 27, 2021 · 7 comments · Fixed by #16797
Closed

az vnet peering create no longer works cross-tenant #16691

mvzink opened this issue Jan 27, 2021 · 7 comments · Fixed by #16797
Assignees
@msyyc
Labels
feature-request Network az network vnet/lb/nic/dns/etc... OKR3.2 Candidate
Milestone
S186

Comments

@mvzink
Copy link

mvzink commented Jan 27, 2021

Describe the bug

Command Name
az network vnet peering create

Errors:

ForbiddenError: (LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions/$SECONDARY_SUBSCRIPTION/resourceGroups/mzink-test/providers/Microsoft.Network/virtualNetworks/mzink-test-vnet/virtualNetworkPeerings/mzink-test-vnet-to-mzink-vnet', however the current tenant '$SECONDARY_TENANT' is not authorized to access linked subscription '$PRIMARY_SUBSCRIPTION'.

To Reproduce:

  • Give a user in $SECONDARY_TENANT the Network Contributor role on a Virtual Network ($PRIMARY_VNET_ID) that lives in $PRIMARY_SUBSCRIPTION within $PRIMARY_TENANT.
  • Log in to both tenants as the user from the secondary tenant:
    • az login -t $PRIMARY_TENANT
    • az login -t $SECONDARY_TENANT
  • az network vnet peering create --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit -n secondary-to-primary --remote-vnet $PRIMARY_VNET_ID -g $SECONDARY_VNET_RG --vnet-name $SECONDARY_VNET_NAME --subscription $SECONDARY_SUBSCRIPTION

Expected Behavior

The VNet peering should be created. This was the case when using v2.12 of the CLI.

Environment Summary

Linux-5.4.0-58-generic-x86_64-with-debian-buster-sid
Python 3.6.10
Installer: DEB

azure-cli 2.18.0

Additional Context

The same also happens when attempting the reverse direction (primary VNet -> secondary VNet peering), with the error output showing the inverse IDs.

We have also developed on v2.17 of the CLI, which produces this same error, and v2.16, which instead produced a BadRequestError. Between all four versions (including v2.12 which does not error and successfully creates the peering) the only differences I could see when running with --verbose --debug were:

  1. the ordering of the JSON body fields
  2. the API version (2020-06-01 for v2.12, then 2020-07-01 for v2.16+)

I tried testing all combinations (old API version & old ordering, new API version & old ordering, etc.) on both v2.12 and v2.17 using the az rest command, and got the new LinkedAuthorizationFailed error in all cases.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 27, 2021
@yonzhan yonzhan added the Network az network vnet/lb/nic/dns/etc... label Jan 28, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 28, 2021
@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Jan 28, 2021
@yonzhan yonzhan added this to the S183 milestone Jan 28, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 28, 2021

network

@msyyc
Copy link
Member

msyyc commented Feb 1, 2021
edited
Loading

I’m trying to repro the problem. If any useful message, we will let you know.
FYI.

@msyyc
Copy link
Member

msyyc commented Feb 1, 2021

Please give more detailed steps to reproduce the problem like:
(1)az ...
(2)az ...
(3)az ...
...
(N) az ...

@jsntcy
Copy link
Member

jsntcy commented Feb 1, 2021

@jiasli, any insights on this issue?

@jiasli
Copy link
Member

jiasli commented Feb 1, 2021

Followed the tutorial Create peering - Azure CLI and I am able to reproduce:

az login

subA="414af076-009b-4282-9a0a-acf75bcb037e"
subB="0b1f6471-1bf0-4dda-aec3-cb9272f09590"

# Switch to subscription A
az account set -s $subA

# Create resource group A
az group create --name myResourceGroupA --location eastus

# Create virtual network A
az network vnet create --name myVnetA --resource-group myResourceGroupA --location eastus --address-prefix 10.0.0.0/16


# Switch to subscription B
az account set -s $subB

# Create resource group B
az group create --name myResourceGroupB --location eastus

# Create virtual network B
az network vnet create --name myVnetB --resource-group myResourceGroupB --location eastus --address-prefix 10.1.0.0/16


# Switch to subscription A
az account set -s $subA

# Peer myVNetA to myVNetB
az network vnet peering create --name myVnetAToMyVnetB --resource-group myResourceGroupA --vnet-name myVnetA --remote-vnet /subscriptions/$subB/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB --allow-vnet-access --debug

azure.core.pipeline.policies._universal: Request URL: 'https://management.azure.com/subscriptions/414af076-009b-4282-9a0a-acf75bcb037e/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA/virtualNetworkPeerings/myVnetAToMyVnetB?api-version=2020-07-01'
azure.core.pipeline.policies._universal: Request method: 'PUT'
azure.core.pipeline.policies._universal: Request headers:
azure.core.pipeline.policies._universal:     'Content-Type': 'application/json'
azure.core.pipeline.policies._universal:     'Accept': 'application/json'
azure.core.pipeline.policies._universal:     'Content-Length': '485'
azure.core.pipeline.policies._universal:     'x-ms-client-request-id': '8901a934-6471-11eb-9a33-84a93e63aa78'
azure.core.pipeline.policies._universal:     'CommandName': 'network vnet peering create'
azure.core.pipeline.policies._universal:     'ParameterSetName': '--name --resource-group --vnet-name --remote-vnet --allow-vnet-access --debug'
azure.core.pipeline.policies._universal:     'User-Agent': 'AZURECLI/2.18.0 (MSI) azsdk-python-azure-mgmt-network/17.0.0 Python/3.6.8 (Windows-10-10.0.19041-SP0)'
azure.core.pipeline.policies._universal:     'Authorization': '*****'
azure.core.pipeline.policies._universal: Request body:
azure.core.pipeline.policies._universal: {"id": "/subscriptions/414af076-009b-4282-9a0a-acf75bcb037e/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA", "name": "myVnetAToMyVnetB", "properties": {"allowVirtualNetworkAccess": true, "allowForwardedTraffic": false, "allowGatewayTransit": false, "useRemoteGateways": false, "remoteVirtualNetwork": {"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB"}}}

The request header x-ms-authorization-auxiliary is missing due to a limitation of Track 2 SDK (Azure/azure-sdk-for-python#8313), #15750 adopted a workaround to manually insert x-ms-authorization-auxiliary.

    return client.gallery_image_versions.begin_create_or_update(
        ...
        headers={'x-ms-authorization-auxiliary': external_bearer_token}
    )

We need to synchronize with SDK owner to support external_credential.

@jiasli
Copy link
Member

jiasli commented Feb 1, 2021
edited
Loading

Workaround with az rest

Use az rest to directly invoke Virtual Network Peerings - Create Or Update REST API.

x-ms-authorization-auxiliary: Bearer <external_tenant_access_token> header is manually added.

# Switch to subscription A
az account set -s $subA

# Get access token of subscription B
tokenB=$(az account get-access-token --subscription $subB --query accessToken --output tsv)

# Create peering from myVnetA to myVnetB
az rest --method PUT --url "https://management.azure.com/subscriptions/$subA/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA/virtualNetworkPeerings/myVnetAToMyVnetB?api-version=2020-07-01" --headers "x-ms-authorization-auxiliary=Bearer $tokenB" --body "{\"id\": \"/subscriptions/$subA/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA\", \"name\": \"myVnetAToMyVnetB\", \"properties\": {\"allowVirtualNetworkAccess\": true, \"allowForwardedTraffic\": false, \"allowGatewayTransit\": false, \"useRemoteGateways\": false, \"remoteVirtualNetwork\": {\"id\": \"/subscriptions/$subB/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB\"}}}"

# View the peering state of myVnetA
az network vnet peering list --resource-group myResourceGroupA --vnet-name myVnetA


# Switch to subscription B
az account set -s $subB

# Get access token of subscription A
tokenA=$(az account get-access-token --subscription $subA --query accessToken --output tsv)

# Create peering from myVnetB to myVnetA
az rest --method PUT --url "https://management.azure.com/subscriptions/$subB/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB/virtualNetworkPeerings/myVnetBToMyVnetA?api-version=2020-07-01" --headers "x-ms-authorization-auxiliary=Bearer $tokenA" --body "{\"id\": \"/subscriptions/$subB/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB\", \"name\": \"myVnetBToMyVnetA\", \"properties\": {\"allowVirtualNetworkAccess\": true, \"allowForwardedTraffic\": false, \"allowGatewayTransit\": false, \"useRemoteGateways\": false, \"remoteVirtualNetwork\": {\"id\": \"/subscriptions/$subA/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA\"}}}"

# View the peering state of myVnetB
az network vnet peering list --resource-group myResourceGroupB --vnet-name myVnetB

@jiasli jiasli mentioned this issue Feb 4, 2021
Merged
@yonzhan yonzhan modified the milestones: S183 - For Ignite, S184 Feb 26, 2021
@yonzhan yonzhan modified the milestones: S184, S185 Mar 15, 2021
@yonzhan yonzhan modified the milestones: S185, S186 Apr 6, 2021
@jiasli jiasli mentioned this issue Feb 16, 2022
Merged
@nazakathussain nazakathussain mentioned this issue Mar 8, 2022
Open
Closed
@jiasli
Copy link
Member

jiasli commented Jul 13, 2023

Azure CLI core has supported cross-tenant authentication with Track 2 SDK in #16797.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@msyyc msyyc

Labels
feature-request Network az network vnet/lb/nic/dns/etc... OKR3.2 Candidate
Projects
None yet
Milestone
S186
Development

Successfully merging a pull request may close this issue.

[Core] Add workaround for cross-tenant authentication with Track 2 SDKs jiasli/azure-cli
5 participants
@mvzink @jiasli @jsntcy @yonzhan @msyyc