Using a Shared Image Gallery from another tenant with an ARM template.

Question

Using a Shared Image Gallery from another tenant with an ARM template.

Meade, Mitch 1

We are using ARM templates to deploy components to customer tenants, and we would like to utilize a Shared Image Gallery in our management tenant to deploy virtual machines to customer tenants. I have successfully created a Shared Image Gallery, built a test image and version, deployed the VM using CLI and PowerShell but I’ve been unsuccessful in building an ARM template to do the same. Since our deployment system is based on ARM templates, I need to fine a way to deploy a VM from a SIG to another tenant.

I have a test service principal in both tenants, and I authenticate with both tenant prior to deploying the ARM template. I know the security is correct as it’s successful using PowerShell or CLI.

The shared image gallery image is referenced from the ARM template:

    "storageProfile": {  
      "imageReference": {  
        "id": "/subscriptions/<sourceSubscriptionID>/resourceGroups/<sourceResourceGroupName>/providers/Microsoft.Compute/galleries/<sourceGalleryName>/images/<sourceImageName>/versions/<sourceVersion>"  
        },

When I deploy this ARM template, the error message is as follows:

The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/<targetSubscriptionId>/resourcegroups/<targetResourceGroupName>/providers/Microsoft.Compute/virtualMachines/<newVMName>', however the current tenant <sourceTenantId> is not authorized to access linked subscription <sourceSubscriptionID>."

Is this possible with ARM? Has anyone seen samples on how to accomplish this by using ARM templates?

Most of my research is based on the MS article:

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/share-images-across-tenants

Has anyone been successful deploying a SIG image through a ARM template?

Mitch

3 answers

Your answer

Answer 1

prmanhas-MSFT 17,946 Microsoft Employee Moderator

@MeadeMitch-4080 Thank you for your query.

You will not be able to use the cross tenant reference in an ARM template. The reason for this is because there is no mechanism to authenticate against both tenants at once using your service principal in the ARM template.

You may be able to set up something using an Azure function that runs on a timer to populate the images you want to share in your customer subscriptions.

Do let me know if you have further queries regarding the same.

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

Meade, Mitch 1 Reputation point

2020-07-28T19:20:18.407+00:00

This should be possible as this would be a major limitation of SIG…

What about using the new inline scripts for ARM templates to call the PowerShell method for deploying a SIG template?
deployment-script-template
Meade, Mitch 1 Reputation point

2020-07-28T19:31:37.78+00:00

Actually, before I initiate the ARM deployment, I authenticate with the customers tenant and then with the source tenant where the shared image gallery lives, both using the same Client ID... This is required for for the CLI and PowerShell method, shouldn't work the same for a Resource Manager deployment as well?
prmanhas-MSFT 17,946 Reputation points Microsoft Employee Moderator

2020-08-17T18:32:01.907+00:00

@Meade, Mitch Firstly, apologies for the delay in responding on this and any inconvenience this issue may have caused.

I was having discussion internally for more clarity which took some time.

If you are trying to achieve something as mentioned in this article then you can use the az group deployment create command as mentioned here and use --template-file (to reference your ARM template) and --aux-subs to make the ARM template deployment work across tenants.

Hope it helps.

Do let me know in case of more queries.

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics
prmanhas-MSFT 17,946 Reputation points Microsoft Employee Moderator

2020-08-20T15:21:05.197+00:00

@Meade, Mitch Any update on the issue?

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

Thanks.

Answer 2

Anonymous

This should work using CLI az group deployment --aux-subs or --aux-tenants

Answer 3

I am having the same basic issue, but I am trying to do this via the the frontend UI (ARM managed-applications) combined with Bicep. I am trying to deploy a VM with the same storageProfile -> imageReference -> id reference as above. When it deploys it fails with the message (ref):

Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope <resourceID>, however the current tenant <tenantID> is not authorized to access linked subscription <subscriptionID>.
Cause: The virtual machine or scale set was created through a gallery image in another tenant. You've tried to make a change to the virtual machine or scale set, but you don't have access to the subscription that owns the image.
Workaround: Contact the owner of the subscription of the image version to grant read access to the image version.

Is there any way to make this work using the ARM managed-applications Templates as a portal deployment? I briefly looked at using Scope to resource group or something similar, but I can't seem to make it work.

Does anyone have any examples of ARM managed-applications combined with Bicep?

Share via

Using a Shared Image Gallery from another tenant with an ARM template.

3 answers

Your answer