Should exclude storageProfile on VMSS update command request
See original GitHub issue
az feedback
auto-generates most of the information requested below, as of CLI version 2.0.62
Describe the bug
When a VMSS is created using Shared Image Gallery image from a different tenant, any VMSS update operation like az vmss update
or az vmss extension add
will fail at ARM linked access check. This is because the client CLI use won’t have permission in the SIG tenant.
The error message you see will be:
The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '{VMSS or VM resource ID}',
however the current tenant '{customer tenant ID}' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'.
AKS recently rolled out a change to subset of customers to pilot using SIG image and discovered this issue.
To Reproduce
Create an AKS cluster in Australia / Canada region, in the node resource group (named MC_xxx) there will be a VMSS using SIG image. Try do any az vmss update
operation on it, or on the VM instance.
Expected behavior
VMSS update should succeed.
In order to make this scenario work, the update request body should only contain the relevant property changes (not the full VMSS properties body), or at least remove property “properties.virtualMachineProfile.storageProfile”.
Environment summary
Additional context
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (9 by maintainers)
Top GitHub Comments
currently PR in CLI side, while blocked by a VMSS service issue. When service deployment done, will merge CLI side change.
Thank you for reporting it.