Add 403 error for blob access in AzureVmssDeploymentV1 (#20770)

* Add 403 error for blob access in AzureVmssDeploymentV1

* updated task.loc.json

Tasks/AzureVmssDeploymentV1/operations/VirtualMachineScaleSet.ts

@@ -115,6 +115,9 @@ export default class VirtualMachineScaleSet {
             customScriptInfo.storageAccount = await this._getStorageAccountDetails();
             customScriptInfo.blobUris = await this._uploadCustomScriptsToBlobService(customScriptInfo);
         } catch (error) {
+            if (error.statusCode && error.statusCode == 403) {
+                throw tl.loc("UploadingToStorageBlobsAuthenticationFailed", this.taskParameters.customScriptsStorageAccount );
+            }
             throw tl.loc("UploadingToStorageBlobsFailed", error.message ? error.message : error);
         }
 
@@ -264,6 +267,9 @@ export default class VirtualMachineScaleSet {
         return new Promise<void>((resolve, reject) => {
             client.virtualMachineExtensions.createOrUpdate(resourceGroupName, this.taskParameters.vmssName, azureModel.ComputeResourceType.VirtualMachineScaleSet, customScriptExtension.name, customScriptExtension, (error, result, request, response) => {
                 if (error) {
+                    if (error.statusCode && error.statusCode == 403) {
+                        return reject(tl.loc("SettingVMExtensionFailedwithAuthentication", utils.getError(error) , this.taskParameters.vmssName));
+                    }
                     return reject(tl.loc("SettingVMExtensionFailed", utils.getError(error)));
                 }
 

Tasks/AzureVmssDeploymentV1/task.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 0
   },
   "demands": [],
@@ -224,6 +224,8 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired."
+    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.",
+    "UploadingToStorageBlobsAuthenticationFailed": "Failed to upload custom scripts to azure blob storage. Please ensure that the subscription has the 'Storage Blob Data Contributor' role assigned for storage account '%s'.",
+    "SettingVMExtensionFailedwithAuthentication": "Failed to install VM custom script extension on VMSS. Error: %s. Please ensure that the subscription has the 'Contributor' role assigned for vmss '%s'. "
   }
 }

Tasks/AzureVmssDeploymentV1/task.loc.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 0
   },
   "demands": [],
@@ -224,6 +224,8 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforAzureStatusCode",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode",
     "CouldNotFetchAccessTokenforMSIStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIStatusCode",
-    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal"
+    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal",
+    "UploadingToStorageBlobsAuthenticationFailed": "ms-resource:loc.messages.UploadingToStorageBlobsAuthenticationFailed",
+    "SettingVMExtensionFailedwithAuthentication": "ms-resource:loc.messages.SettingVMExtensionFailedwithAuthentication"
   }
 }

_generated/AzureVmssDeploymentV1.versionmap.txt

@@ -1,2 +1,2 @@
-Default|1.249.0
-Node20_229_6|1.249.1
+Default|1.251.0
+Node20_229_6|1.251.1

_generated/AzureVmssDeploymentV1/Strings/resources.resjson/en-US/resources.resjson

@@ -76,5 +76,7 @@
   "loc.messages.CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-  "loc.messages.ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired."
+  "loc.messages.ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.",
+  "loc.messages.UploadingToStorageBlobsAuthenticationFailed": "Failed to upload custom scripts to azure blob storage. Please ensure that the subscription has the 'Storage Blob Data Contributor' role assigned for storage account '%s'.",
+  "loc.messages.SettingVMExtensionFailedwithAuthentication": "Failed to install VM custom script extension on VMSS. Error: %s. Please ensure that the subscription has the 'Contributor' role assigned for vmss '%s'. "
 }

_generated/AzureVmssDeploymentV1/operations/VirtualMachineScaleSet.ts

@@ -115,6 +115,9 @@ export default class VirtualMachineScaleSet {
             customScriptInfo.storageAccount = await this._getStorageAccountDetails();
             customScriptInfo.blobUris = await this._uploadCustomScriptsToBlobService(customScriptInfo);
         } catch (error) {
+            if (error.statusCode && error.statusCode == 403) {
+                throw tl.loc("UploadingToStorageBlobsAuthenticationFailed", this.taskParameters.customScriptsStorageAccount );
+            }
             throw tl.loc("UploadingToStorageBlobsFailed", error.message ? error.message : error);
         }
 
@@ -264,6 +267,9 @@ export default class VirtualMachineScaleSet {
         return new Promise<void>((resolve, reject) => {
             client.virtualMachineExtensions.createOrUpdate(resourceGroupName, this.taskParameters.vmssName, azureModel.ComputeResourceType.VirtualMachineScaleSet, customScriptExtension.name, customScriptExtension, (error, result, request, response) => {
                 if (error) {
+                    if (error.statusCode && error.statusCode == 403) {
+                        return reject(tl.loc("SettingVMExtensionFailedwithAuthentication", utils.getError(error) , this.taskParameters.vmssName));
+                    }
                     return reject(tl.loc("SettingVMExtensionFailed", utils.getError(error)));
                 }
 

_generated/AzureVmssDeploymentV1/task.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 0
   },
   "demands": [],
@@ -224,10 +224,12 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired."
+    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.",
+    "UploadingToStorageBlobsAuthenticationFailed": "Failed to upload custom scripts to azure blob storage. Please ensure that the subscription has the 'Storage Blob Data Contributor' role assigned for storage account '%s'.",
+    "SettingVMExtensionFailedwithAuthentication": "Failed to install VM custom script extension on VMSS. Error: %s. Please ensure that the subscription has the 'Contributor' role assigned for vmss '%s'. "
   },
   "_buildConfigMapping": {
-    "Default": "1.249.0",
-    "Node20_229_6": "1.249.1"
+    "Default": "1.251.0",
+    "Node20_229_6": "1.251.1"
   }
 }

_generated/AzureVmssDeploymentV1/task.loc.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 0
   },
   "demands": [],
@@ -224,10 +224,12 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforAzureStatusCode",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode",
     "CouldNotFetchAccessTokenforMSIStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIStatusCode",
-    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal"
+    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal",
+    "UploadingToStorageBlobsAuthenticationFailed": "ms-resource:loc.messages.UploadingToStorageBlobsAuthenticationFailed",
+    "SettingVMExtensionFailedwithAuthentication": "ms-resource:loc.messages.SettingVMExtensionFailedwithAuthentication"
   },
   "_buildConfigMapping": {
-    "Default": "1.249.0",
-    "Node20_229_6": "1.249.1"
+    "Default": "1.251.0",
+    "Node20_229_6": "1.251.1"
   }
 }

_generated/AzureVmssDeploymentV1_Node20/Strings/resources.resjson/en-US/resources.resjson

@@ -76,5 +76,7 @@
   "loc.messages.CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
   "loc.messages.CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-  "loc.messages.ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired."
+  "loc.messages.ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.",
+  "loc.messages.UploadingToStorageBlobsAuthenticationFailed": "Failed to upload custom scripts to azure blob storage. Please ensure that the subscription has the 'Storage Blob Data Contributor' role assigned for storage account '%s'.",
+  "loc.messages.SettingVMExtensionFailedwithAuthentication": "Failed to install VM custom script extension on VMSS. Error: %s. Please ensure that the subscription has the 'Contributor' role assigned for vmss '%s'. "
 }

_generated/AzureVmssDeploymentV1_Node20/operations/VirtualMachineScaleSet.ts

@@ -115,6 +115,9 @@ export default class VirtualMachineScaleSet {
             customScriptInfo.storageAccount = await this._getStorageAccountDetails();
             customScriptInfo.blobUris = await this._uploadCustomScriptsToBlobService(customScriptInfo);
         } catch (error) {
+            if (error.statusCode && error.statusCode == 403) {
+                throw tl.loc("UploadingToStorageBlobsAuthenticationFailed", this.taskParameters.customScriptsStorageAccount );
+            }
             throw tl.loc("UploadingToStorageBlobsFailed", error.message ? error.message : error);
         }
 
@@ -264,6 +267,9 @@ export default class VirtualMachineScaleSet {
         return new Promise<void>((resolve, reject) => {
             client.virtualMachineExtensions.createOrUpdate(resourceGroupName, this.taskParameters.vmssName, azureModel.ComputeResourceType.VirtualMachineScaleSet, customScriptExtension.name, customScriptExtension, (error, result, request, response) => {
                 if (error) {
+                    if (error.statusCode && error.statusCode == 403) {
+                        return reject(tl.loc("SettingVMExtensionFailedwithAuthentication", utils.getError(error) , this.taskParameters.vmssName));
+                    }
                     return reject(tl.loc("SettingVMExtensionFailed", utils.getError(error)));
                 }
 

_generated/AzureVmssDeploymentV1_Node20/task.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 1
   },
   "demands": [],
@@ -224,10 +224,12 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "Could not fetch access token for Azure. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: %s, status message: %s",
     "CouldNotFetchAccessTokenforMSIStatusCode": "Could not fetch access token for Managed Service Principal. Status code: %s, status message: %s",
-    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired."
+    "ExpiredServicePrincipal": "Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.",
+    "UploadingToStorageBlobsAuthenticationFailed": "Failed to upload custom scripts to azure blob storage. Please ensure that the subscription has the 'Storage Blob Data Contributor' role assigned for storage account '%s'.",
+    "SettingVMExtensionFailedwithAuthentication": "Failed to install VM custom script extension on VMSS. Error: %s. Please ensure that the subscription has the 'Contributor' role assigned for vmss '%s'. "
   },
   "_buildConfigMapping": {
-    "Default": "1.249.0",
-    "Node20_229_6": "1.249.1"
+    "Default": "1.251.0",
+    "Node20_229_6": "1.251.1"
   }
 }

_generated/AzureVmssDeploymentV1_Node20/task.loc.json

@@ -14,7 +14,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 249,
+    "Minor": 251,
     "Patch": 1
   },
   "demands": [],
@@ -224,10 +224,12 @@
     "CouldNotFetchAccessTokenforAzureStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforAzureStatusCode",
     "CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIDueToMSINotConfiguredProperlyStatusCode",
     "CouldNotFetchAccessTokenforMSIStatusCode": "ms-resource:loc.messages.CouldNotFetchAccessTokenforMSIStatusCode",
-    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal"
+    "ExpiredServicePrincipal": "ms-resource:loc.messages.ExpiredServicePrincipal",
+    "UploadingToStorageBlobsAuthenticationFailed": "ms-resource:loc.messages.UploadingToStorageBlobsAuthenticationFailed",
+    "SettingVMExtensionFailedwithAuthentication": "ms-resource:loc.messages.SettingVMExtensionFailedwithAuthentication"
   },
   "_buildConfigMapping": {
-    "Default": "1.249.0",
-    "Node20_229_6": "1.249.1"
+    "Default": "1.251.0",
+    "Node20_229_6": "1.251.1"
   }
 }