Building images on Azure with Packer I have discovered some things that might be useful to others:
Cannot locate resource group means something else
Error when doing Azure Managed Disk builds:
Build ‘azure-arm’ errored: Cannot locate the managed image resource group <your RG>
What Packer really means is that your credentials are wrong. Check your values for client_id and client_secret. Remember that it is the Application ID that is your client_id, not the name or the object ID.
“full access to this subscription” is not really necessary
The Packers docs state:
“The service principal specified in client_id must have full access to this subscription, unless build_resource_group_name option is specified in which case it needs to have owner access to the existing resource group specified in build_resource_group_name parameter.”
First of all; “full access” is not the name of a role in Azure IAM. Since they go on to mention “owner”, which is a role, later on when discussing the use of a pre-existing resource group, I assume that owner is what they mean. But the Packer service principal does not need owner. It just needs permissions to perform the creation and deletion of resources at the right level. Contributor works fine.
Remember thy OS
Packer commands must use double quotes on Windows and single quotes on Linux. Simple, right? Yet so hard to remember. AFAICT this is mentioned only once in the Packer docs, in the Intro section, but not in the Template User Variables section. Even the help output of packer.exe (1.2.) on Windows is wrong:
-var 'key=value' Variable for templates, can be used multiple times.
Will work on Linux, but not on Windows:
$ packer build \ -var 'aws_access_key=YOUR ACCESS KEY' \ -var 'aws_secret_key=YOUR SECRET KEY' \ example.json
Will work on Windows, but not on Linux:
PS> packer build \ -var "aws_access_key=YOUR ACCESS KEY" \ -var "aws_secret_key=YOUR SECRET KEY" \ example.json
Windows images require client_id and object_id
The object_id configuration option is not listed under the required section of the Azure builder, but if you are building a Windows image it is in fact required. This is explained in the object_id explanation, but should be made more clear. After all, if object_id is missing; Packer will not tell you that. Rather it will give you this:
==> azure-arm: ERROR: -> BadRequest : An invalid value was provided for ‘accessPolicies’.
object_id takes as its value the actual object id of the service principal that Packer is using. So client_id needs the application id and object_id needs the object id. What seems strange to me here is that Packer already knows the application id of its service principal and could easily get the object id from that by querying the graph. This is turn could make the whole issue with providing object_id redundant. Packer could just figure it out. This issue is discussed more in this link. If you have the wrong value in object_id you might see this error:
Failed to fetch secret from <KV Name>/packerKeyVaultSecret, HTTP status code=403 (Forbidden)
This is because Packer uses the value provided for object_id in the KeyVault access policy, which is accepted by the Azure ARM API (after all, it is just a GUID), but does not work in the next step when Packer tries to retrieve the value of the secret. Again, the solution is to set the correct value for object_id. People talk more about this issue here.
Happy Packing!
