I’ve run out of ideas here.
I’ve got TF code that creates a certificate and drops it into a keyvault with Azure DNS authorization. This code works fine when run from my desktop when using az login as the service principal the DevOp’s pipeline runs as.
The DNS zones are in a different subscription that the Service Principal doesn’t have access to but I’m passing SP credentials that does in the config block of the acme_certificate azure section. Again, this code works fine when run from my desktop.
However, when run from a DevOp’s pipeline I get the following
- azure: dns.ZonesClient#Get: Failure responding to request: StatusCode=404 – Original Error: autorest/azure: Service returned an error. Status=404 Code=“ResourceGroupNotFound” Message=“Resource group ‘’ could not be found.”
This is not dis-similar to this post but there doesn’t appear to be a resolution there
This smells like a permissions issue, like the SP the pipeline runs as is being used to try and read the resource group and zone details from the DNS subscription, however, I’ve tried giving it Contributor permissions to it and that doesn’t help. Also, without those permissions it runs fine on my desktop after logging in as that service principal.
The only other piece of useful information I’ve been able to find is that when I get the above error it does not record a login of the Service Principal user thats being passed in the config block. When running it from my desktop it does (but it works then too). I would expect it to be trying to use the client ID and secret provided in the config block to read the DNS resource group etc but that doesn’t appear to be the case.
Does anyone have any ideas?