Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60337

Can't use image gallery with managed identity

XMLWordPrintable

      Hi

      I'm trying to use a "User assigned managed identity" for all authentication with Jenkins.

      This plugin appears to support it, I even borrowed code from it for the azure-keyvault-plugin: https://github.com/jenkinsci/azure-keyvault-plugin/pull/27

      But when I try use my image gallery (in a different subscription if that matters but it has contributor on that subscription), I get a not found error:

      "The target gallery image does not exist"

      I added debug code to the "AzureVMManagementServiceDelegate"

      It's failing with this exception:

      2019-12-01 22:56:18.358+0000 [id=130]	INFO	c.m.a.v.AzureVMManagementServiceDelegate#verifyVirtualMachineImage: Exception when looking up gallery
rx.exceptions.OnErrorThrowable$OnNextValue: OnError while emitting onNext value: null
	at rx.exceptions.OnErrorThrowable.addValueAsLastCause(OnErrorThrowable.java:118)
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:73)
Caused: java.lang.NullPointerException
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionImpl.<init>(GalleryImageVersionImpl.java:50)
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionsImpl.wrapModel(GalleryImageVersionsImpl.java:42)
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionsImpl.access$000(GalleryImageVersionsImpl.java:24)
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionsImpl$4.call(GalleryImageVersionsImpl.java:84)
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionsImpl$4.call(GalleryImageVersionsImpl.java:81)
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69)
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:77)
	at rx.internal.operators.OperatorMerge$MergeSubscriber.emitScalar(OperatorMerge.java:511)
	at rx.internal.operators.OperatorMerge$MergeSubscriber.tryEmit(OperatorMerge.java:466)
	at rx.internal.operators.OperatorMerge$MergeSubscriber.onNext(OperatorMerge.java:244)
	at rx.internal.operators.OperatorMerge$MergeSubscriber.onNext(OperatorMerge.java:148)
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:77)
	at retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120)
	at retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102)
	at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:46)
	at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24)
	at rx.Observable.unsafeSubscribe(Observable.java:10327)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
	at rx.Observable.unsafeSubscribe(Observable.java:10327)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
	at rx.Observable.unsafeSubscribe(Observable.java:10327)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
	at rx.Observable.unsafeSubscribe(Observable.java:10327)
	at rx.internal.operators.DeferredScalarSubscriber.subscribeTo(DeferredScalarSubscriber.java:153)
	at rx.internal.operators.OnSubscribeTakeLastOne.call(OnSubscribeTakeLastOne.java:32)
	at rx.internal.operators.OnSubscribeTakeLastOne.call(OnSubscribeTakeLastOne.java:22)
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
	at rx.Observable.subscribe(Observable.java:10423)
	at rx.Observable.subscribe(Observable.java:10390)
	at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:443)
	at rx.observables.BlockingObservable.last(BlockingObservable.java:226)
	at com.microsoft.azure.management.compute.implementation.GalleryImageVersionsImpl.getByGalleryImage(GalleryImageVersionsImpl.java:91)
	at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.verifyVirtualMachineImage(AzureVMManagementServiceDelegate.java:2294)
	at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate$4.call(AzureVMManagementServiceDelegate.java:2101)
	at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate$4.call(AzureVMManagementServiceDelegate.java:2097)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

      In the vm agents plugin it is this line that triggers the exception:
      https://github.com/jenkinsci/azure-vm-agents-plugin/blob/8bb8638abbf257824afdf13a9d7b5d3d15bf7347/src/main/java/com/microsoft/azure/vmagent/AzureVMManagementServiceDelegate.java#L2293

      I've manually ran the API calls that the java sdk is using and it works fine:

      az login --identity
TOKEN=$(az account get-access-token -o tsv --query accessToken)
curl -H "Authorization: Bearer ${TOKEN}" "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<rg>/providers/Microsoft.Compute/galleries/cnpimagegallery/images/jenkins-agent/versions/1.2.1?api-version=2018-06-01"

            jieshe Jie Shen
            timja Tim Jacomb
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: