Getting no permission to add Azure roles to the account message.
I am trying to add Azure role assignments to the storage account. I am creating a function app in bicep, and the next step after that is, I want to add the 'Storage Blob Data Owner' role for that application.
This is being executed in Github via github action with a bicep script.
Authorization failed for template resource 'guid' of type 'Microsoft.Authorization/roleAssignments'. The client 'client id' with object id 'client id' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions//resourceGroups/rg-
So the solution is to add create a custom role which has the write persmission, but how do i add that custom role to the function app in bicep
resource roleAssignmentStorage 'Microsoft.Authorization/roleAssignments#2020-04-01-preview' = {
name: guid(subscription().id, principalId, roleDefinitionResourceId)
properties: {
roleDefinitionId: roleDefinitionResourceId
principalId: principalId
principalType: 'ServicePrincipal'
}
}
I dont know how to assign the custom RBAC role i created
Isn't the error coming from the fact that whatever user/application is executing this Bicep template does not have rights to set RBAC permissions?
To assign RBAC permissions in your Bicep template, the principal executing the template needs either the User Access Administrator role or Owner role on the resource/resource group/subscription.
https://learn.microsoft.com/en-us/answers/questions/287573/authorization-failed-when-when-writing-a-roleassig.html
This is the answer i was looking for. Once you create the custom role, as mentioned in the link, you need to create the new credentials using the a new service principal. Like:
az ad sp create-for-rbac --name newServicePrincipal --role 'custom contributor' --scopes /subscriptions/id --sdk-auth
The output of this needs to be saved as the new Azure credentials in your Github Repo, thats how the service principal which runs the github actions gets linked to the custom contributor. I missed that part.
Related
Rukmini, the SP has contributor role on the subscription not sure why it is erroring and it worked after ading it in a Reader role?
Here is a snapshot
I am trying some operations from az cli(terraform commands) getting the following error:
The client '87c92100-.....' with object id '87c92100....' does not
have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope
'/subscriptions/f151ee3f-4725-......../resourcegroups/tfmainrg' or the
scope is invalid
I searched everywhere, RG, AAD, storage account....not able to find where this object or client resdes. Can you please tell me how can I find what object is this? Thanks
I tried to reproduce the same in my environment and got the same error as below:
The error "Authorization Failed" usually occurs if the user does not have access/role to read the resource group.
To resolve the error, make sure to assign Reader role to the user in the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your subscription -> Access control (IAM) -> Add role assignment -> Select Reader
You can also use az cli to assign the Reader role to the user by using below command:
The Owner or User administrator role is required to assign any role.
So, use another tenant level Owner to assign the role.
az role assignment create --assignee-object-id UserObjectID --scope subscriptions/SubscriptionID --role reader
The reader role successfully granted to the user like below:
After assigning the role, I am able to read the resource group successfully:
az group show -n ResourceGroupName
Based on your further requirement you can assign the roles by referring to the below MsDoc:
Azure built-in roles - Azure RBAC
I have created a Service Principal with the following access:
Contributor role on subscription
Global administrator role on AAD tenant
Consented Microsoft Graph API permissions:
Group.Read.All
User.Read.All
While authenticated with this SP, I am trying to assign Azure service roles to AAD groups. For example:
resource "azurerm_role_assignment" "storage_account_admin" {
scope = azurerm_storage_account.my_storage.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azuread_group.my_group.object_id
}
When trying to apply this, Terraform throws an authorisation error from Azure:
The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid. If access was recently granted, please refresh your credentials.
I am able to create this resource with my user Azure account, which has the Owner role. Do I need to elevate my Service Principal to Owner -- that seems a bit dangerous -- or is there a more specific way of resolving this?
The reason you are getting this error is because the Contributor role does not include authorization related permissions like role assignments.
To fix this error, either assign Owner role to your Service Principal or add User Access Administrator role to the Service Principal.
I am creating azure keyvault using .net core 2.1 with OpenIdConnect with following AccessPolicies
AccessPolicies = new List<AccessPolicyEntry>()
{
new AccessPolicyEntry
{
TenantId = Guid.Parse(tenantId),
ObjectId = objectId,
Permissions = new Permissions
{
Secrets = new List<string> { "all" },
Keys = new string[] { "all" },
Certificates = new string[]{"all" }
}
}
}
using that, now, I can create keyvault but while go to newly created keyvault(in Azure portal) settings blade {Key,Secrete,Certificate} it shows warning
"The operation "List" is not enabled in this key vault's access policy."
Note :- As shown in above code "All permission are given".I can see it in azure portal.
What I have tried :-
I have tried to refer following stack-overflow already question-answer
Azure Keyvault - "Operation "list" is not allowed by vault policy" but all permissions are checked
How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?
according to above stackoverflow answer(s) "need to pass the object ID of the service principal of the Azure AD application instead of object ID of your Azure AD application".
I have tried to find out object ID of the service principal of the azure AD application using following powershell script
Get-AzADServicePrincipal -ServicePrincipalName "<app client ID>"
it gives following result
I have tried to use "Id"(in above screenshot) in objectId of AccessPolicyEntry but it not solved problem.
Question :-
Is any other permission need to set in AccessPolicyEntry?
What should be the objectID in AccessPolicyEntry(currently, I am giving obectId of Azure AD application)?
If needed objectId of service princpal. how can get it programmatically?
Well, I can reproduce your issue on my side.
First, the operation pass the object ID of the service principal instead of object ID of your Azure AD application is completely correct. After giving all the permissions to the service principal in the Access policies, the service principal will have the permissions.
But when you check the keyvault in the portal, you are using your user account which login the azure portal instead of the service principal, it caused the warning.
So if you want to fix the warning, just add your user account in the Access policies via + Add Access Policy button in the portal, or you can specify the object id of your user account in your code with the permissions when creating the keyvault.
Then about your questions:
Is any other permission need to set in AccessPolicyEntry?
No, the permissions are enough.
What should be the objectID in AccessPolicyEntry(currently, I am giving obectId of Azure AD application)?
You should not use the object id of the AD App, your option is to use the object id of the service principal/security group/user account, it depends on your requirement, details here.
If needed objectId of service principal. how can get it programmatically?
You can use the powershell command as you used, or the Azure CLI az ad sp show via the service principal name.
Or if you could use Microsoft Graph SDK for C# along with the filter, something like:
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var serviceprincipals = await graphClient.Serviceprincipals
.Request().
.Filter("some condition").
.GetAsync();
We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.
Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)
Is there a some new way to do that?
What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).
We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.
Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.
Ok so we found a solution - using powershell the following steps were required:
Install-Module AzureAD
Connect-AzureAD -TenantId TENANT-ID
Get-AzureADServicePrincipal -> look for Service principal ObjectId
Get-AzureADDirectoryRole -> look for Helpdesk Administrator
Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID
I am trying to create a Resource Group dynamically using Azure Management SDK
Here are my azure configuration details
subscription=<private-data>
client=<private-data>
key=<private-data>
tenant=<private-data>
managementURI=https://management.core.windows.net/
baseURL=https://management.azure.com/
authURL=https://login.windows.net/
graphURL=https://graph.windows.net/
Here is code for creating Resource
// Credentials
AzureCredentials credentials = new AzureCredentialsFactory()
.FromFile("azureauth.properties");
string resourceName = GetRandomString();
// Create Azure Instance
var azure = Azure
.Configure()
.Authenticate(credentials)
.WithDefaultSubscription();
// Create a Resource Group
azure.ResourceGroups
.Define(resourceName)
.WithRegion(Region.USWest)
.Create();
The error that I got is:
The client 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' with object id
'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' does not have authorization to
perform action
'Microsoft.Resources/subscriptions/resourcegroups/write' over scope
'/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6/resourcegroups/5oxjhjic'.
I have followed steps specified on https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
As well as I am trying with my Global Administrator account
you cant be trying with global administrator, obviously. you need to go to you subscription and grant objectid 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' contributor permissions (easy way) or create a custom role (or figure predefined role) that meets your needs.
you can use portal to do that or azure powershell:
New-AzRoleAssignment -ObjectId 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' -Scope '/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6' -RoleDefinitionName contributor
the equivalent Azure CLI command is:
az role assignment create --assignee-object-id ae8bc2ea-9680-4f66-934c-ad40b82c30ac --scope subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6 --role contributor