-
Notifications
You must be signed in to change notification settings - Fork 199
Multiple onefuzz deployments under single subscription #1297
Comments
Yes, it is possible to deploy multiple instances under the same subscription. Do you have a client_secret in your config? You can run |
Yea, I have tried that. But with deployment of 3.0.0. I have been getting the below error when i execute WARNING:nsv-backend:failed to get access token with scope https://<>/.default This is a normal deployment with no permission issues during deployment. I am the owner of the subscription and the account. |
are you using a client_secret in your config? |
@stmh-infosec, you shouldn't have to rename the Please share the exact order of operations you did, e.g.
(or re-arranged as appropriate, depending on what you did) Also, could you please share the the redacted output of Suppose it looks something like this:
(I will refer to the actual values below using the placeholder strings above) Big picture: for the CLI client to work, we expect that there is an App Registration named Each app registration has a "manifest", accessible via the "Manifest" menu item in the "Manage" section of the Resource Menu (left pane) of the "App registrations" blade in the Azure Portal. The manifest is a JSON document, and it has a key named Can you please check which app registrations are present in Also, in your last comment, I take it that you redacted a UUID here:
Could you try running both |
There is also this weird error that arises every time I deploy version 3.0.0. Issue 1: Steps to reproduce:
Issue2: Steps to reproduce:
This has nothing to do with multiple deployments, this is just the case with version 3.0.0 deployment. I see a pull request of the fix here(#1300), but not sure if that would be available as part of release binary. (the latest release was downloaded and deployed) |
@ranweiler , for your above commands on However, when i replace the |
Thanks for the details, @stmh-infosec! In the first situation, where you deploy, but do not create and configure a |
You mean |
Exactly. What I'm trying to validate is, in your setup, are you able to get any fully-working deployment, using the standard device code auth flow (not client secret). In other words, even if your initial attempt at deploying stops with an error, and you finish it by re-running with
Understood. I do think that, separately, you're probably running into #1299, which @chkeita is addressing in #1300. |
Here they are:
|
Also Curious, the builds should have failed for version 3.0.0 if this kind of issues arise right ? the github actions pipeline had both the deployment and verification of cli calling the endpoint. Does it actually check for the exact response |
Yes, our integration tests should catch this in some form, but I think this is a specific combination of issues that might not be covered. IIUC, based on what you're reporting, you cannot authenticate using the device code flow. I don't know why that is (it has worked in our integration tests). But on top of that, confidential client auth (client ID + secret) is legitimately broken, and so you can't fall back on that, either. For your 3.0.0 instance, for device code auth to work, I'd expect at least the following 3 things to be true:
So, based on the config snippet you shared above, I'd expect to see the following in the manifest of the app registration for your 3.0.0 instance:
Can you please confirm that? |
@stmh-infosec regarding issue1. The error message comes from one of our dependencies. The exception generated by this message is handled internally but logged by default. So your deployment is successful even in the presence of that error message. |
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. |
I have been trying to deploy different versions of onefuzz (3.0.0 and 2.16.0) under a single subscription. The deployment succeeds (I do change the client app registration name i.e: instead of
onefuzz-cli
, I name it version specific eg:onefuzz-cli-3-0-0
). When I install the cli and configure it, i am not able to use the cli to create pools, create vms and schedule jobs. I get the below error:ERROR:cli:command failed: error: invalid_client
'AADSTS7000215: Invalid client secret is provided.
Trace ID:
Correlation ID:
Timestamp: 2021-09-28 20:43:14Z'
Can I have multiple instances of onefuzz running under the single subscription ? If yes, could you let me know why my cli is failing to connect with the instance ?
The text was updated successfully, but these errors were encountered: