The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Virtual Machines!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Issue deploying VM off shared image from another account RRS feed

  • Question

  • Hi-

    My goal is to maintain an image on one account, and be able to deploy VMs off that image on other accounts with whom I've shared the gallery.

    Account 1: Owns the image gallery

    Account 2: I want to deploy VM's using the shared image.

    I have added Account 2 to the image gallery and have an application registered which can successfully deploy VMs in the subscription (ie, account 2's subscription).  I am getting the following message when I try and deploy off the shared image:

    {'error': {'code': 'LinkedAuthorizationFailed', 'message': "The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/[account 2's subscription]/resourceGroups/rgtest2/providers/Microsoft.Compute/virtualMachineScaleSets/sstest', however the current tenant '[account 2's tenantId]' is not authorized to access linked subscription '[account 1's subscription ID'."}}

    I came across some discussions which suggested it was previously not supported, but should be supported now. I can't post URLs, but an example is topic 'provider: add service principal auxiliary tenant support #4290' on GitHub.

    It is unclear to me what additional permissions I need to assign so that the secondary accounts can use the shared image version to launch VMs.

    Help greatly appreciated..



    • Edited by gregcron Monday, November 25, 2019 9:37 PM
    Monday, November 25, 2019 9:37 PM

All replies

  • HI,

    You need to authorize the tenant 2 with the app id of the app registration from tenant 1.

    Steps are mentioned here.  Full document is here

    Above link also has full details about sharing  the image gallery from tenant 1 to tenant 2.

    I am adding those details in a simplified way here.

    In tenant 1

    • Create an app registration and give it a name
    • Allow any org or personal account to connect
    • save the app id
    • go to the app permissions page and add the shared image gallery to share

    In tenant 2 give authorize to access.

    Then you can create a VM in tenant 2 from the image in tenant 1 via CLI.  Portal method is not supported yet.

    Tuesday, November 26, 2019 6:38 AM
  • Hi - thank you for the reply.  I had tried that before, but faced an issue. I recreated an app registration and added it to the image gallery to make sure my previous app wasn't improperly configured.  On the new app registration, when I follow the step to authorize tenant 2, I get the following message:

    AADSTS50020: User account '[email address of the account which owns the shared image gallery]' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '[client ID of newly created application registration]'(myGalleryAp) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

    EDIT:  The above message was seen when trying to enter the authorization URL on the browser signed into the Tenant 1 account.

    When I visited that URL from the browser signed into tenant/account 2, it did seem to prompt me to accept the permissions for the app.  I accepted.

    However, I am still seeing the same message when I try and deploy a VM from the shared image on Tenant/Account 2:

    {'error': {'code': 'LinkedAuthorizationFailed', 'message': "The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/[account 2's subscription]/resourceGroups/rgtest2/providers/Microsoft.Compute/virtualMachineScaleSets/sstest', however the current tenant '[account 2's tenantId]' is not authorized to access linked subscription '[account 1's subscription ID'."}}

    Perhaps the permissions are delayed?  I did refresh my authorization before trying to create the VM a few times, and got the above response each time.

    Note:  I am deploying using the rest API from my deployment script.  Perhaps there is some mismatch in the authentication?  I see the instructions when done via Azure CLI has you log into both accounts 1 and 2?

    When I request the deployment, the access token I'm passing to with the request is authorized totenant 2, not tenant 1.  The access token was obtained within:

       

        tenant = [tenant 2's tenant id]

        clientId = [tenant 2's client id]
        clientSecret = [tenant 2's client secret]
        authority_url = f'https://login.microsoftonline.com/{tenant}'
        resource = 'https://management.azure.com/'
        context = adal.AuthenticationContext(authority_url)
        token = context.acquire_token_with_client_credentials(resource, clientId, clientSecret)


    Is it possible to add whatever authentication is needed from Tenant 1 into the headers I send with the create VM request?
    • Edited by gregcron Tuesday, November 26, 2019 4:40 PM
    Tuesday, November 26, 2019 2:54 PM