I am submitting a run to an AML workspace programmatically, and it is failing with the error message:
"error": {
"code": "UserError",
"message": "Not all data Stores (workspaceblobstore) specified in the run configuration exist." }
Inspecting the run configuration object, the sourceDirectoryDataStore is set to null, and the other two data-related properties are empty.
"dataReferences": {},
"data": {},
"sourceDirectoryDataStore": null
The script that I am submitting does not make use of any datastores registered through aml, it is just the simple diabetes regression, using the sklearn diabetes dataset.
The training script is copied to the snapshots container of the storage account linked with the AML workspace.
What would be the next steps on troubleshooting this?
SDK Version: 1.0.85.
When retrieving the datastores, through ws.datastores (suggested in the comments), I get another exception about the storage service missing name or key, but there is a storage account that got deployed with the AML workspace. Inspecting the ARM template of the AML workspace the storage account id is in the properties of the AML template, and the usual containers (revisions, snapshots, snapshotzips, azureml-bloblstore-GUID) are created and the *.py files that I am attempting to run are being uploaded.
print(ws.datastores)
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\core\workspace.py", line 789, in datastores
return {datastore.name: datastore for datastore in _DatastoreClient.list(self)}
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\data\datastore_client.py", line 486, in list
dss, ct = _DatastoreClient._list(workspace, ct, 100)
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\data\datastore_client.py", line 688, in _list
return list(datastores), datastore_dtos.continuation_token
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\data\datastore_client.py", line 687, in <lambda>
map(lambda dto: _DatastoreClient._dto_to_datastore(ws, dto), datastore_dtos.value))
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\data\datastore_client.py", line 760, in _dto_to_datastore
as_section.sas_token, as_section.account_key, as_section.protocol, as_section.endpoint)
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\data\azure_storage_datastore.py", line 390, in __init__
endpoint_suffix=endpoint
File "C:\ProgramData\Anaconda3\lib\site-packages\azureml\_vendor\azure_storage\file\fileservice.py", line 184, in __init__
raise ValueError(_ERROR_STORAGE_MISSING_INFO)
ValueError: You need to provide an account name and either an account_key or sas_token when creating a storage service.
I had created the workspace that gives this problem through the powershell ARM deployment scripts, specifying its ARM template. The deployment succeeded fine.
I tried deploying the workspace through the AzureML SDK, and that creates the datastores and suceeds the run.
It might be linked to the ARM template (or Terraform in our case).
We updated the infrastructure (ML workspace), and for some reason the user principal's access to the associated keyvault got removed...
Trying to launch a new run resulted in a very similar error:
Not all data Stores (workspaceblobstore) specified in the run configuration exist. If the Datastore has secret registered, please make sure that RBAC action "metadata/secrets/read" is permitted
In our case, the machine learning workspace resource was configured like this (only option at the time):
identity {
type = "SystemAssigned"
}
So, we fixed this issue by explicitly adding a key vault access policy for the machine learning workspace:
resource "azurerm_key_vault_access_policy" "principal_id_access" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = var.azure_tenant_id
object_id = azurerm_machine_learning_workspace.example.identity[0].principal_id
key_permissions = [
"backup", "create", "decrypt", "delete", "encrypt",
"get", "import", "list", "purge", "recover", "restore",
"sign", "unwrapKey", "update", "verify", "wrapKey"
]
secret_permissions = [
"backup", "delete", "get", "list", "purge", "recover", "restore", "set"
]
certificate_permissions = [
"backup", "create", "delete", "deleteissuers", "get", "getissuers",
"import", "list", "listissuers", "managecontacts", "manageissuers", "purge",
"recover", "restore", "setissuers", "update"
]
}
Related
I am trying get the properties of an Azure Disk Resource. When I run the command in my subscription
$R=Get-AzResource -Name <ResourceName>
It provides a list of properties given here I am specifically interested getting the Properties PSobject. However running the following command:
$R.Properties -eq $null
does returns true. When I look at this resource from Azure Portal (Same user principal as in Powershell command) in Json format I am given a selection of schemas to choose from and lots of properties are provided. Below is a sample:
"properties": {
"osType": "Linux",
"hyperVGeneration": "V2",
"supportsHibernation": true,
"supportedCapabilities": {
"acceleratedNetwork": true,
"architecture": "x64"
},
"creationData": {
"createOption": "FromImage",
"imageReference": {
"id": "xxx"
}
},
"diskSizeGB": 30,
"diskIOPSReadWrite": 500,
"diskMBpsReadWrite": 60,
"encryption": {
"type": "EncryptionAtRestWithPlatformKey"
},
"networkAccessPolicy": "AllowAll",
"publicNetworkAccess": "Enabled",
"timeCreated": "2023-01-09T13:38:24.500223+00:00",
"provisioningState": "Succeeded",
"diskState": "Attached",
"diskSizeBytes": 32213303296,
"uniqueId": "xxx"
What is the proper command to get this information using PowerShell?
You should set the ExpandProperties switch
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azresource?view=azps-9.3.0#-expandproperties
$resourceWithProperties = Get-AzResource -Name <ResourceName> -ExpandProperties
You can the access the properties with
$resourceWithProperties.Properties
You can get all properties using -ExapandProperties command and Alternative way of getting all properties is by using below commands:
Connect-AzAccount
$disk = Get-AzResource -ResourceId "/subscriptions/<subscriptionId>/resourceGroups/<Rg name>/providers/Microsoft.Compute/disks/<Diskname>"
$disk.Properties | Format-List *
Output:
I want to create a custom role for developers.
With this custom role the developers should have contributor access to the resource group "TestRessourceGroup" and all its stored resources but the developers should not have the permission to delete this resource group or individual resources within the resource group.
This is what I have so far:
{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
The developers should still be able to:
delete blobs and containers within a Storage Account
delete compute instances or compute clusters within AMLS
What do I need to add so that users with this custom role cannot delete a resource group or individual resources (like Storage Accounts, Databricks, Key Vaults, AMLS .....) within the resource group but anything else is working like with the normal contributor access?
In you don't want to include resource deletion, the easiest way is to add */delete in the the notActions array:
{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"*/delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
You could then having another role to allow users to delete resources inside Machine learning workspace:
{
"properties": {
"roleName": "Allow ML workspace resources deletion",
"description": "",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
If you create an AAD group and assign these two roles to the group, it should work.
I have an existing key vault in Azure for which I am trying to add an existing VNet through Pulumi code. I face the below error:
error: azure:keyvault/keyVault:KeyVault resource 'exampleKeyVault' has a problem: Invalid or unknown key. Examine values at 'KeyVault.NetworkAcls.VirtualNetworkRules'.
This is my code:
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
resource_group_name=resourceGroup,
name="keyVaultName",
tenant_id=current.tenant_id,
sku_name="premium",
soft_delete_retention_days=7,
network_acls=pulumi_azure_native.keyvault.NetworkRuleSetArgs(
bypass="AzureServices",
ip_rules=None,
default_action="Deny",
virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"list",
"create",
"get",
"purge",
"recover",
"delete"
],
secret_permissions=["set",
"list",
"get",
"delete",
"purge",
"recover"],
)])
You're passing the wrong type to your resource. network_acls doesn't take the type pulumi_azure_native.keyvault.NetworkRuleSetArgs it takes pulumi.azure.KeyVaultNetworkAcls
See here for more information: https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultnetworkacls
You'll need something like this:
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
resource_group_name=resourceGroup,
name="keyVaultName",
tenant_id=current.tenant_id,
sku_name="premium",
soft_delete_retention_days=7,
network_acls=pulumi.azure.NetworkRuleSetArgs(
bypass="AzureServices",
ip_rules=None,
default_action="Deny",
virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"list",
"create",
"get",
"purge",
"recover",
"delete"
],
secret_permissions=["set",
"list",
"get",
"delete",
"purge",
"recover"],
)])
I can also see you're making the same mistake at virtual_network_rules, you need to ensure you're not missing provider types inside the same resource
Im trying to automate the configuration of an enterpise application via the Azure Graph API.
Specifically, its the Azure Palo Alto Admin UI - https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltoadmin-tutorial#configure-azure-ad-sso
Ive managed to get this working via the frontend, but im having trouble configuring the custom claims via the Graph Api.
For now, i just want to use a string claim in the custom claim as the customadmin value with a hardcoded value for the admin role
When creating via the portal, you can easily enter a string value as the source type of the claim.
However, via the Graph API the source type must be user, resource, audience, company or transformation.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#claim-schema-entry-elements
It seems that you can create a string type of transformation and then link the transformation into the main ClaimsSchema.
There is a similar example documented here https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0#example-definition-that-uses-a-claims-transformation
But I cannot get the example to work. Even with a bit of massaging, the example fails. This is what ive been trying:
cat <<- EOF > claims.json
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\":[
{\"Source\":\"user\",\"ID\":\"extensionattribute1\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"TransformationId\":\"JoinTheData\",\"JwtClaimType\":\"JoinedData\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"JoinTheData\",\"TransformationMethod\":\"Join\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"extensionattribute1\",\"TransformationClaimType\":\"string1\"}], \"InputParameters\": [{\"ID\":\"string2\",\"Value\":\"sandbox\"},{\"ID\":\"separator\",\"Value\":\".\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}
]
}}"
],
"displayName": "Azure Reference Claim",
"isOrganizationDefault": false
}
EOF
az rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies" --body #claims.json
Ive tried both the v1.0 and beta APIs but they both have the same behaviour
Which returns with the following error:
Bad Request({
"error": {
"code": "Request_BadRequest",
"message": "Property has an invalid value.",
"innerError": {
"date": "2020-09-01T13:03:10",
"request-id": "bc7cf58e-fe6d-47d1-b1e5-cae43326864f"
}
}
})
I was able to get the rest of the Palo Alto claim working (excluding the custom string) with the following:
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
And i was able to create a CustomString transformation which isnt linked to anything with the following:
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsTransformation\":[{\"ID\":\"CreateTermsOfService\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"TOS\",\"TransformationClaimType\":\"createdClaim\"}]}]
}}",
],
"displayName": "sdfa",
"isOrganizationDefault": false
}
However, when i try them together in the format of the example I get an error.
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [
{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"},{\"Source\":\"transformation\",\"TransformationID\":\"xxxxxxxxx\",\"ID\":\"DataJoin\",\"SamlClaimType\":\"test\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"xxxxxxxxx\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"createdClaim\"}]}
]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
Which returns the same unhelpful error:
Bad Request({
"error": {
"code": "Request_BadRequest",
"message": "Property has an invalid value.",
"innerError": {
"date": "2020-09-01T13:03:10",
"request-id": "bc7cf58e-fe6d-47d1-b1e5-cae43326864f"
}
}
})
Any ideas what i am doing wrong? Im trying to base off of the example, which i cant get working.
I do not want to use powershell, i want to be able to automate via my desktop terminal.
I imagine i can avoid this situation and get the PA to integrate with AAD without a hardcoded value, but i feel that i should be able to get this working this way.
The mandatory encoding of the ClaimMappingPolicy object makes it quite fiddely to develop, so its possible there is a problem there somewhere.
Ive also tried just creating the ClaimsSchema without the ClaimsTransformation and then running a PATCH to amend the object with the transformed object, but it just overwrites the whole ClaimsMappingPolicy object rather than adding just the extra field.
When I remove the transformation source from the ClaimsSchema the request succeeds.
cat <<- EOF > claims.json
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [
{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"xxxxxxxxx\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"createdClaim\"}]}
]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
EOF
But there isnt an association between the ClaimsSchema and the ClaimsTransformation. This hints at a problem with the ClaimsSchema object
{\"Source\":\"transformation\",\"TransformationID\":\"xxxxxxxxx\",\"ID\":\"DataJoin\",\"SamlClaimType\":\"test\"}
But this looks suitable when looking at the documentation and the (possibly broken) reference example.
Providing information in answer as its too long to comment it.Please try this below query in Graph explorer
Post https://graph.microsoft.com/beta/policies/claimsMappingPolicies
{"definition":["{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"extensionattribute1\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"TransformationId\":\"JoinTheData\",\"JwtClaimType\":\"JoinedData\"}],\"ClaimsTransformations\":[{\"ID\":\"JoinTheData\",\"TransformationMethod\":\"Join\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"extensionattribute1\",\"TransformationClaimType\":\"string1\"}], \"InputParameters\": [{\"ID\":\"string2\",\"Value\":\"sandbox\"},{\"ID\":\"separator\",\"Value\":\".\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}]}}"],"displayName":"TestclaimsPolicy","isOrganizationDefault":false}
Post https://graph.microsoft.com/beta/policies/claimsMappingPolicies
{"definition":["{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}],\"ClaimsTransformation\":[{\"ID\":\"CreateTermsOfService\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"TOS\",\"TransformationClaimType\":\"createdClaim\"}]}]}}"],"displayName":"Test1234","isOrganizationDefault":false}
for more information on CreateTermsOfService please refer to this document
I am new to Packer and I have been trying to build my first packer on Azure image following this guide - https://learn.microsoft.com/en-us/azure/virtual-machines/windows/build-image-with-packer
I did not follow the guide exactly as I already had a an Azure Subscription and resource group set up. But now when I attempt to build my Packer image I get the following error
Build 'azure-arm' errored: Cannot locate the managed image resource group myResourceGroup
From reading through the docs it states the only requirement is that the resource group already exist, which it does as I can see it in my Azure portal.
My packer json file follows the one from the guide which is shown below, any help appreciated
{
"builders": [{
"type": "azure-arm",
"client_id": "0831b578-8ab6-40b9-a581-9a880a94aab1",
"client_secret": "P#ssw0rd!",
"tenant_id": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"subscription_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"object_id": "a7dfb070-0d5b-47ac-b9a5-cf214fff0ae2",
"managed_image_resource_group_name": "myResourceGroup",
"managed_image_name": "myPackerImage",
"os_type": "Windows",
"image_publisher": "MicrosoftWindowsServer",
"image_offer": "WindowsServer",
"image_sku": "2016-Datacenter",
"communicator": "winrm",
"winrm_use_ssl": "true",
"winrm_insecure": "true",
"winrm_timeout": "3m",
"winrm_username": "packer",
"azure_tags": {
"dept": "Engineering",
"task": "Image deployment"
},
"location": "East US",
"vm_size": "Standard_DS2_v2"
}],
"provisioners": [{
"type": "powershell",
"inline": [
"Add-WindowsFeature Web-Server",
"if( Test-Path $Env:SystemRoot\\windows\\system32\\Sysprep\\unattend.xml ){ rm $Env:SystemRoot\\windows\\system32\\Sysprep\\unattend.xml -Force}",
"& $Env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /shutdown /quiet"
]
}]
}
This happened to me because my service principal has no sufficient permissions to read the resource group.
Make sure you have the correct permission, this should create a correct service principal:
az ad sp create-for-rbac --role Contributor --name sp-packer-001
There is an open issue with Packer where this error is displayed when there is a mismatch in the client_id / client_secret pair for details see here
Build 'azure-arm' errored: Cannot locate the managed image resource
group myResourceGroup
According to this error message, it seems you have not replace your resource group name in that json file.
"managed_image_resource_group_name": "myResourceGroup",
We should replace that myResourceGroup with your existing resource group name, like this:
"managed_image_resource_group_name": "jasonpacker",
Also we should replace client_id, client_secret, tenant_id, subscription_id and object_id.
After that complete, we can find the image in your existing resource group: