Cannot locate the managed image resource group - AzureDevops with Packer 1.8.2, windows agent and using SPN for auth

Hi there,

I’ve been struggling for a number of days now to identify the root cause of my issue. I’m running an AzDo based pipeline that performs:

  • Image Definition creation with bicep
  • Installs packer on the AzDo agent as an extension
  • Initialises Packer Plugin’s from .hcl template for use later
  • Validates Packer template before use
  • Build Packer template

During the Packer template build step the build fails with the error

Cannot locate the managed image resource group img-uks-cpss-glbl-ssv-plat-imggallery-rsg

The value is correct and is the intended value.

Having researched i understand that this error can be related to the azure permissions and that the SPN requires Contributor rights to the subscription. But i’ve used a slightly reduced policy set via a custom Azure rbac role to follow the rule of least privileged access. As per the below:

This role is then assigned within my azure compute gallery subscription and assigned to my service principle.

However, Packer still complains that it cannot see the resource group that im calling.

Here is the packer hcl snippet of the template i’ve defined, the variable being pulled through is the expected value.

>   shared_image_gallery_destination {
>       subscription                        = var.gallery_subscription_id
>       resource_group                      = var.destination_gallery_resource_group
>       gallery_name                        = var.destination_gallery_name
>       image_name                          = "${local.destination_image_name}"
>       image_version                       = var.destination_image_version
>       replication_regions                 = [ "${var.destination_replication_regions}" ] 
>       storage_account_type                = "Standard_LRS"
>   }
>   managed_image_name                      = "${local.managed_image_name}"
>   managed_image_resource_group_name       = var.destination_gallery_resource_group
>   shared_image_gallery_replica_count      = 5
>   shared_gallery_image_version_end_of_life_date = timeadd(timestamp(),  "1440h")
> 
> # Image Variables for Destination Packer Image
>   image_offer                             = var.image_offer
>   image_publisher                         = var.image_publisher
>   image_sku                               = var.image_sku
>   image_version                           = "latest"
>   os_type                                 = var.os_type
>   vm_size                                 = var.vm_size
>   

>   build_resource_group_name                = var.build_resource_group_name
>   private_virtual_network_with_public_ip  = true
>   virtual_network_name                    = var.build_vnet
>   virtual_network_subnet_name             = var.build_subnet
>   virtual_network_resource_group_name     = var.build_resource_group_name
> 
> #  location                                = var.location
> #  async_resourcegroup_delete              = true

During testing i have also trialed two other SPN’s. One with full contributor access and the other with Owner access to the subscription. In both cases the same error presented. I’ve also deleted the resource group that homes the Azure compute gallery and rebuilt them.

Can anyone suggest some further areas on enquiry ?

Many thanks