[BUG]Error assigning role to service principal, exiting...

[SridharArrabelly]

Describe the bug
I followed the steps as explained in the deployment guide. It appears the provisioning of services has been completed successfully. but the problem with assigning roles after.

To Reproduce
Steps to reproduce the behavior:

1. run bash deploy.sh -p deploy.parameters.json
2. you will see the error as in the attached screenshot.

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Bicep: 0.30.23

Additional context
Resource group and OpenAI are in the same subscription..

[timothymeyers]

@SridharArrabelly - can you verify that your user (or service principal executing the deployment) has the Role Based Access Control (RBAC) Administrator role assigned on your subscription?

I've found this is generally the issue, where this role is either not assigned or is limited in scope to particular resources.

[DOliana]

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

[soon-nl]

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

Having the same error. Did you just run bash deploy.sh -p deploy.parameters.json again?

[SridharArrabelly]

@DOliana @soon-nl redploy/run again didn't work.
@timothymeyers I can confirm that i have the Role Based Access Control (RBAC) Administrator role. please see attached.

[DOliana]

I had a similar issue - for me restarting the deployment helped. It seems there are some timing issues. Also at some point the issue was that the nodes inthe AKS cluster were still starting.

Having the same error. Did you just run bash deploy.sh -p deploy.parameters.json again?

yes exactly. rerunning it did the trick for me.

[puneetpawaia]

@DOliana rerun didn't work for me either.
Anything else I can do?
I am the subscription owner but I still have given the RBAC admin permission to myself. I am also the subscription owner.

[guybartal]

running again for many times didn't work for me, I'm also directory and subscription admin.

btw, added some traces to the deployment script and the scope looks empty, might be the cause?

Deployment name: graphrag-deploy-2025-01-01_18-31-00
Assigning 'Cognitive Services OpenAI Contributor' role to managed identity... 
servicePrincipalId: a7ffbae6-bae6-4faf-b137-b80743fbf256
scope: 
 ________________________________
/  Uh oh, an error has occurred. \
\  Please see message below.     /
 ‾‾‾‾‾‾‾‾‾‾/‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
          /
      __ /
     /  \
    ~    ~
   / \  /_\
   \o/  \o/
    |    |
    ||   |/
    ||   ||
    ||   ||
    | \_/ |
    \     /
     \___/

Error assigning role to service principal, exiting...

[guybartal]

I've tried to manually assign role to this principal, and it worked and also solved my indexing issue:

[guybartal]

I've found the problem, if your OpenAI service is deployed into another subscription the scope empty, you need to pass the subscription id to the following line:

local scope=$(az cognitiveservices account list --subscription=$GRAPHRAG_API_SUBSCRIPTION --query "[?contains(properties.endpoint, '$GRAPHRAG_API_BASE')] | [0].id" -o tsv)

and introduce this new GRAPHRAG_API_SUBSCRIPTION key in deploy.parameters.json

[puneetpawaia]

Hi @guybartal , my OpenAI service is in the same subscription but in a different resource group. Can you help me with adding the trace to print out servicePrincipalId as you have done so that I can add the role directly to the service. Or should I move the service to the same resource group?

[puneetpawaia]

Did some more exploring and found that in my case
AZURE_DEPLOY_RESULTS in the deployAzureResources function is coming out to be empty. For both a fresh run and for a rerun. Tested this with OpenAI service in different resource groups and in the same resource group.

[puneetpawaia]

Hi @markmassad , can you check if AZURE_DEPLOY_RESULTS contains some value or if it is blank as it is for me? This is the same message I get.

[markmassad]

Hello @puneetpawaia, I didn't check that... but I see the error is in: az role assignment create --role 'Cognitive Services OpenAI Contributor' --assignee [SPObjectID] --scope '/subscriptions/[SUBID]/resourceGroups/openAI/providers/Microsoft.CognitiveServices/accounts/openai1a'

I tried several variations of that command and none of them added the role assignment. For whatever reason, I could ONLY add the assignment to the SP using the Portal. Go figure??? Maybe a bug in the Az fabric?

BTW: I deleted a comment as it was a side effect of this issue here on the role assignment creation and didn't want to muddy the water.

[puneetpawaia]

Hi @markmassad , if I understand correctly, this code is in at line 422 in function assignAOAIRoleToManagedIdentity of deploy.sh
Unfortunately, I don't get to this code in my case. I get the error while the deployment is processing main.bicep. My error comes from line 362 which is before assignAOAIRoleToManagedIdentity get called in line 366.

[guybartal]

Sure, I think I'll open a PR to fix this issue so others can benefit.

…

________________________________ From: Puneet Pawaia ***@***.***> Sent: Monday, January 6, 2025 2:27:26 PM To: Azure-Samples/graphrag-accelerator ***@***.***> Cc: Comment ***@***.***> Subject: Re: [Azure-Samples/graphrag-accelerator] [BUG]Error assigning role to service principal, exiting... (Issue #188) Hi @markmassad<https://github.com/markmassad> , if I understand correctly, this code is in at line 422 in function assignAOAIRoleToManagedIdentity of deploy.sh Unfortunately, I don't get to this code in my case. I get the error while the deployment is processing main.bicep. My error comes from line 362 which is before assignAOAIRoleToManagedIdentity get called in line 366. — Reply to this email directly, view it on GitHub<#188 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAYIEYZU2DA6TERHZYL6ZGT2JJZC7BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI3DONBZGIZTQOBXGSSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJXG44DINJRHEYTBAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDENJWHA3TOOBRGAZYFJDUPFYGLJLMMFRGK3FFOZQWY5LFVI3DONBZGIZTQOBXGSTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[guybartal]

@puneetpawaia, in case this PR doesn't help you, I suggest you share the error captured in the deployment from Azure Portal.