I have created a service principal on Azure with contributor permissions, and pasted it in github secrets.
Then, I created my workflow in .github.workflow directory in the project. I am trying to create the resources I need on azure using Azure CLI commands in github action, I want to create resource group, ML workspace, compute cluster, upload dataset, then run an ML job.
once I check the logs on github repo -> actions, I get the following message:
Run az ml workspace create –name "workspace_name" –resource-group ""resource_group_name
Class ManagedNetwork: This is an experimental class, and may change at any time. Please see https://aka.ms/azuremlexperimental for more information.ERROR: (InvalidTemplateDeployment) Deployment failed with multiple errors: ‘Authorization failed for template resource ‘DeployResourceGroup-000000’ of type ‘Microsoft.Resources/deployments’. The client ‘00000’ with object id ‘00000/deployments/write’ at scope ‘/subscriptions/00000/providers/Microsoft.Resources/deployments/DeployResourceGroup-00000’.:Authorization failed for template resource ‘DeployLogWorkspace-00000’ of type ‘Microsoft.Resources/deployments’. The client ‘00000’ with object id ‘00000’ does not have permission to perform action ‘Microsoft.Resources/deployments/write’ at scope ‘/subscriptions/0000/resourceGroups/DefaultResourceGroup-francecentral/providers/Microsoft.Resources/deployments/DeployLogWorkspace-000000′.’
Message: Deployment failed with multiple errors: ‘Authorization failed for template resource ‘DeployResourceGroup-000000’ of type ‘Microsoft.Resources/deployments’. The client ‘00000’ with object id ‘00000’ does not have permission to perform action ‘Microsoft.Resources/deployments/write’ at scope ‘/subscriptions/0000/providers/Microsoft.Resources/deployments/DeployResourceGroup-000000’.:Authorization failed for template resource ‘DeployLogWorkspace-000000’ of type ‘Microsoft.Resources/deployments’. The client ‘00000’ with object id ‘00000’ does not have permission to perform action ‘Microsoft.Resources/deployments/write’ at scope ‘/subscriptions/00000/resourceGroups/DefaultResourceGroup-francecentral/providers/Microsoft.Resources/deployments/DeployLogWorkspace-000000′.’
here is the yaml file details:
name: Manually trigger an Azure Machine Learning job
on:
workflow_dispatch:
inputs:
resource_group:
description: resource group name
required: true
default: def_resource_group
type: string
region:
description: region of resource group
required: true
default: francecentral
type: string
workspace:
description: workspace name
required: true
default: workspace2
type: string
instance_name:
description: compute instance name
required: true
default: def-cluster
type: string
jobs:
build_env_and_train:
runs-on: ubuntu-latest
steps:
- name: Check out repo
uses: actions/checkout@main
- name: Install az ml extension
run: az extension add -n ml -y
- name: Azure login
uses: azure/login@v1
with:
creds: ${{secrets.AZURE_CREDENTIALS}}
- name: create a resource group on Azure
uses: Azure/CLI@v1
with:
inlineScript: |
#!/bin/bash
if $(az group exists --name ${{ github.event.inputs.resource_group }}) ; then
echo "Azure resource group already exists, skipping creation..."
else
az group create --name ${{ github.event.inputs.resource_group }} --location ${{ github.event.inputs.region }}
az configure --defaults group=${{ github.event.inputs.resource_group }}
echo "Azure resource group created"
fi
if $(az workspace exists --name ${{ github.event.inputs.workspace }}); then
echo "workspace already exists with this name"
else
az ml workspace create --name ${{ github.event.inputs.workspace }}
az configure --defaults workspace=${{ github.event.inputs.workspace }}
echo "done! workspace is created"
fi
It seems to be a syntax problem (from the error name). However, I looked for examples online and copy pasted their workflow yaml file and it gave me the same issue.
Note0: Azure login works.
Note1: the same command works from my terminal (but my terminal is root user so no permission issues I guess).
Note2: when I create the resource group then the ML workspace from Azure platform, I can run successfully the workflow file to create a compute cluster, upload dataset, and run an ML job (everything works except creating resource group or ML workspace).
I would appreciate your help in this matter!
please let me know if something else is needed to debug this issue.
Thanks
2
Answers
Microsoft DevOps engineer helped me fix the issue, It was the scope of the service principal, it should be on the subscription level to be able to deploy resource group or ML workspace.
Cheers
I tried to create resource group and Machine Learning workspace with the github workflow by using Azure Service principal.
As Azure RBAC ( role based access control) have these scopes in order –
Management group > Subscription > Resource group> Resources.
And as You need to create a new Resource group, The Service principal should have atleast contributor role assigned at the Subscription level. If you already have a resource group created, And want to create a new Machine learning workspace you can assign the service principal role scoped at the existing resource group.
Refer the MS Document here to learn about above RBAC concepts and scopes.
I tried creating a resource group and Machine learning workspace with github action using Azure CLI task and it failed with the same error, As my service principal used for in the github action secrets did not have role assigned at the subscription level, so while creating the new resource group, The task failed. Refer below:-
I created a new service principal and assigned it a contributor role at the subscription level, Like below:-
Command:-
I have referred the below command from this MS Document:-
Output:-
Role assigned in Portal:-
Ran the Workflow like below:-
And the resource group with Machine Learning workspace got created successfully:-
Code:-
I have referred this MS Document to create the below ML Workspace with Github actions:-
Output:-
Portal:-