Azure Shared Image Gallery Multi-tenant

Question

Hi All,

  I have created shared image gallery in tenant1 and I am able to create VMs using this image across all subscriptions in this tenant. Used CLI, powershell and Terraform and it worked fine

When I try to create a VM in Tenant-2 with Shared Image Galley available in Tenant-1, I am facing some issues. I am able to create the VM in tenant by using CLI and power shell, but when using Terraform it is failing with below error.

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/*aaaaaaaaaaaaaaaa/resourceGroups/mygroup/providers/Microsoft.Compute/virtualMachines/sigvm-01', however the current tenant 'bbbbbbbbbbbbbbb' is not authorized to access linked subscription 'ccccccccccccccccccccc'."

aaaaaaaaaaaaaa -> is the subscription ID in Tenant-2 where I am trying to create VM

bbbbbbbbbbbbbb -> is the tenant ID of tenant 2

cccccccccccccccc  ->  is the subscription ID in tenant1

ANY help is much appreciated.

Thank You

  

Answer 1

Hi, 

Using images from Shared image gallery in a different tenant is supported only through Powershell and CLI. Using Portal and other methods are not supported yet.

REF: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/share-images-across-tenants#give-tenant-2-access

---

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Answer 2

Thanks for prompt response.. you confirming that it is not possible via terraform as well?

As I saw a post  here github.com/terraform-providers/terraform-provider-azurerm/issues/3548   but not sure how can I try that as well.

Answer 3

Yes, It is not supported through terraform currently. Product group is working on this but I do not have an ETA regarding this. 

---

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Answer 4

Hi

We got the 1.34 version released and I am getting the error I pasted initially. My Azure Shared Image galleries are in tenant-1 and I am trying to deploy a VM in tenant-2 using this SIG in tenant-1.

####  connecting to tenant -2 ########
provider "azurerm" {
  subscription_id = "${var.subscription_id}"
  client_id       = "${var.client_id}"
  client_secret   = "${var.client_secret}"
  tenant_id       = "${var.tenant_id}"
}

#####  connecting to tenant -1 ######## Provider for fetching the SIG resource
provider "azurerm" {
  alias           = "sig-resources-id"
  subscription_id = "${var.sig_subscription_id}"
  client_id       = "${var.sig_client_id}"
  client_secret   = "${var.sig_client_secret}"
  tenant_id       = "${var.sig_tenant_id}"
}

using alias I fetches the image ID and use this ID to provision in tenant-2 and is not working. Any suggestions here?

Answer 5

All,

  Can you please help in this regard.

Thank You