ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-15 19:38:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

work around AAD service principal race condition (#716)

Browse Source 
This works around an issue in AAD service principal creation.  The race condition in AAD shows up as:

```
INFO:deploy:checking if RBAC already exists
INFO:deploy:creating Application registration
INFO:deploy:creating service principal
Traceback (most recent call last):
  File "deploy.py", line 926, in <module>
    main()
  File "deploy.py", line 920, in main
    state[1](client)
  File "deploy.py", line 303, in setup_rbac
    client.service_principals.create(service_principal_params)
  File "/tmp/tmpp2x7ybfg/deploy-venv/lib/python3.8/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 87, in create
    raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error_py3.GraphErrorException: When using this permission, the backing application of the service principal being created must in the local tenant
```

The azure-cli has the same issue, as seen in https://github.com/Azure/azure-cli/issues/14767
This commit is contained in:
bmc-msft
2021-03-23 17:02:36 -04:00
committed by GitHub
parent 3ef7db64c3
commit de5c843eb5
1 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/deployment/deploy.py
View File

@ -300,7 +300,33 @@ class Client:
service_principal_type="Application", service_principal_type="Application",
app_id=app.app_id, app_id=app.app_id,
) )
def try_sp_create() -> None:
error: Optional[Exception] = None
for _ in range(10):
try:
client.service_principals.create(service_principal_params) client.service_principals.create(service_principal_params)
return
except GraphErrorException as err:
# work around timing issue when creating service principal
# https://github.com/Azure/azure-cli/issues/14767
if (
"service principal being created must in the local tenant"
not in str(err)
):
raise err
logging.warning(
"creating service principal failed with an error that occurs "
"due to AAD race conditions"
)
time.sleep(60)
if error is None:
raise Exception("service principal creation failed")
else:
raise error
try_sp_create()
else: else:
app = existing[0] app = existing[0]
existing_role_values = [app_role.value for app_role in app.app_roles] existing_role_values = [app_role.value for app_role in app.app_roles]