Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3579

Azure is changing the required permission for Azure Compute Galleries

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • 0
    • 0

      Description

      A warning email received, this may affect as and needs to be evaluated ASAP to understand the required changes.

      Email Received:

      Update your permission for ACG image publishing by 15 March 2025

      You’re receiving this notice because you use Azure Compute Gallery.

      We're conducting important security-related updates that’ll be implemented in the coming weeks to the Azure Compute Gallery (ACG) image creation process that’ll impact your resource(s). These updates will impact your resource(s) if you currently use ACG to create your custom Virtual Machine (VM) images. Immediate action is required to prevent any interruptions in your VM Image publishing process.

      Previously, to import a VM into an ACG Image in the same subscription, 'read' access was required on the VM. Additionally, to import a blob into an ACG Image in the same subscription, 'write' access was required on the storage account.

      To ensure consistency in security models across VM Image creation workflows, starting 15 March 2025, it will be required to have 'write’ access on the source VM and ‘listKeys/action’ on the storage account during VM Image creation in same subscription workflow (VM/Blob source and Target Image in same subscription). This requirement aligns with other image creation workflows (e.g.,VM/Blob source and Target Image in different subscription).

      Required action

      To prevent VM Image version creation failures when importing VMs and blobs into ACG Image, it’s required that you take the following action by 15 March 2025:

      1. If you use VMs as source to create ACG Image versions where the source VM and target ACG Image will be created in the same subscription:
      • Please move to using “properties.storageProfile.source.virtualMachineId” property as the old property properties.storageProfile.source.Id will be retiring for VM source. The new property requires Api-version 2023-07-03 or version 1.4.0 (or higher) of .NET SDK.
      • Ensure that the Identity (users/service principal, etc.) creating the Image has the ‘write' permission on the source VM.
      1. If you use blobs as source to create ACG Image versions:

      Refer to the ACG documentation to learn more about the required permissions on different source types when creating an ACG Image. Please visit[ Azure built-in roles|https://learn.microsoft.com/azure/role-based-access-control/built-in-roles] and granting RBAC permissions for additional information. You can review existing permissions on resources using this article.

      If you’d like to test the new permission, you can test by adding the following tag to your VM:

      • Tag ‘acg_allow_capturevm_with_permission’ with value ‘write’.
        • Write: This value will ensure that users can’t create an image without ‘write’ permission on the source VM.

              Unassigned Unassigned
              ssheribe@redhat.com Snir sheriber
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: