I'm trying to create a resource group and then deploy a Cosmos DB account using the Azure CLI installed on Ubuntu 20.
I keep getting an authorisation failed error (The client XXXX with object id XXXX does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope.....)
Similar error when I try to create service principal with RBAC
I'm an Owner on the subscription, and it works with no problem in the cloud shell.
I logged in with az login
The The client XXXX with object id XXXX does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope.....) error is because you do not have access to read the resource group which is due to role issue.
So, either give contributor role which has privilege to manage all resources or Cosmos DB Account Reader Role which has Privilege to get or list resource group.
But to assign any role, you need to have user administrator or owner role.
Reference- role-based-access-control-built-in-roles.
Related
I'm trying to establish a connection to an Azure SQL Database via a service principal (through a PowerShell script).
I believe I have followed the guidance issued by Microsoft but the connection cannot be established. My current configuration is:
Azure SQL Server has an AAD administrator set up (AAD group)
The AAD Group contains a service principal account (manually created)
Azure SQL Server has a system managed identity (and has the Directory Reader role assigned to it)
It's my understanding that I do not need to explicitly execute CREATE USER for the service principal as it is already a member of the AAD Group which is an admin on the Azure SQL Server.
I've tried Azure CLI and AZ module commands, both to no avail.
As an example:
az login --service-principal -u "***" -p="***" --tenant "***"
$accessToken = az account get-access-token --resource https://database.windows.net --query accessToken
Invoke-Sqlcmd -ServerInstance "***.database.windows.net" -Database "***" -AccessToken $accessToken -Query "SELECT GETUTCDATE()"
The above generates an error on Invoke-Sqlcmd Invoke-Sqlcmd: Login failed for user '<token-identified principal>'
I've also tried sanitising the access token (as noticed it started/ended with "), and in doing so the error was broadly the same, however it did report the actual service principal (by ID)
$accessToken = $accessToken -replace """", ""
Produced the error Invoke-Sqlcmd: Login failed for user '***#***'
Issue was caused because of the role assignments "Reader role" to the service principal
While establish a connection to an Azure SQL Database via a service principal two things we need to do
Add contributor role to Service Principal Id
Allow port 1433 from the sql server firewall with allowed network IP range.
Upon role assignment tested with Azure Data Studio. Able to connect with out any issues.
NOTE: Make sure firewall rule need to allow along with 1433 port.
Updates:
Need to create a user with service principal name on database along with db_owner role
create user from EXTERNAL PROVIDER
ALTER ROLE DB_OWNER ADD MEMBER servicePrincipalName>
Service Principal App Permissions needs to provide from Azure Active Directory to access via service principal account
Please refer to Thomas Thornton article.
Query Azure SQL Database using Service Principal with PowerShell – Thomas Thornton
I have a python script running on an Ubuntu Linux virtual machine that needs to access a KeyVault in Azure. If have configured the following environment variables based on an "App Registration".
AZURE_CLIENT_ID=<Client ID from App Registration>
AZURE_TENANT_ID=<Tenent ID from App Registration>
AZURE_CLIENT_SECRET=<SECRET Created in App Registration>
When I try accessing the KeyVault I get an access denied error.
Code: Forbidden
Message: The user, group or application 'appid=<APP_ID>;oid=
<GUID_VALUE>;iss=https://sts.windows.net/<GUID_VALUE>/' does not have secrets get permission
on key vault '<KEY_VAULT_NAME>;location=westus'. For help resolving this issue, please see
https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
"code": "AccessDenied"
}
I assume I am getting this, because there is no Role Assignment in the KeyVault, however I may be wrong.
When I try adding a new Role Assignment to the KeyVault, there is no option under "Assign access to" for "App Registration". I tried both "User, Group or Service Principal" and "User Assigned Managed Identity", but it I always get the error "No users, groups, or service principals found.".
What am I missing here?
What am I missing here?
There are a few issues here:
You're trying to assign an RBAC role to an App Registration. What you need to do is assign an RBAC role to the Service Principal. To get the Service Principal Id, you would need to go to Enterprise Applications section in Azure AD and find the Id of your Service Principal (Object ID).
Assigning Reader RBAC role will not do the trick as this role is for managing the Key Vault itself and not the data inside it. There are two ways to solve this:
Use Access Policies: You can define appropriate access policies in your Azure Key Vault to give access to keys, secrets and certificates to your Service Principal.
Use Data RBAC Roles: Instead of using Management RBAC roles (like Reader, Contributor etc.), you will need to use RBAC roles for managing data inside the Key Vault.
Please see this link for more details: https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.
I'm trying to create subscriptions through an Azure DevOps pipeline on a hosted agent running as a service principal and am receiving the error:
New-AzSubscriptionAlias: /home/vsts/work/1/s/Azure.Automation/Subscriptions/Create-AzureSubscription.ps1:190
Line |
190 | $subscription = New-AzSubscriptionAlias `
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Operation returned an invalid status code 'Unauthorized'
How do I grant the service principal the required access?
As it is written here in Programmatically create Azure subscriptions with the latest APIs
You must have an Owner role on an Enrollment Account to create a subscription. There are two ways to get the role:
The Enterprise Administrator of your enrollment can make you an Account Owner (sign in required) which makes you an Owner of the Enrollment Account.
An existing Owner of the Enrollment Account can grant you access. Similarly, to use a service principal to create an EA subscription, you must grant that service principal the ability to create subscriptions.
If you need to use a service principal to create a subscription, then you must grant the service principal the Azure RBAC owner role.
You can use the New-AzRoleAssignment command to assign the owner role to your service principal.
To specify a user, use SignInName or Azure AD ObjectId parameters.
To specify a security group, use Azure AD ObjectId parameter. And to specify an Azure AD application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter.
You need to use AzureRmRoleAssignment cmdlet to assign that service principal an Owner role.
We tracked it down to two missing permissions required by the underlying New-AzureRmRoleAssignment cmdlet that is called by the task -
The Service Principal (SPN) used by Azure DevOps to connect to your
Azure subscription requires the Owner role
The same SPN also requires Read directory data permissions to your
Azure AD
There is also a 3rd-party Azure Role Based Access Control task you could use in your azure devops pipeline.
More step by step tutorial, please refer this blog-- Service Principal considerations when using Azure DevOps to manage RBAC on Azure Resource Groups
I am trying to assign role to azure web app using VSTS.
New-AzureRmRoleAssignment -ObjectId 976a5114-xxxx-xxxx-xxxx-7403ef25ac29 -RoleDefinitionName "Reader" -Scope "/subscriptions/4364666b-xxxx-xxxx-xxxx-47158904c439/resourceGroups/devt002RG/providers/Microsoft.Storage/storageAccounts/devt002"
Error :
2019-03-26T09:26:16.5246563Z ##[error]The client 'a78361e3-xxxx-xxxx-xxxx-fb0ced07865c' with object id 'a78361e3-xxxx-xxxx-xxxx-fb0ced07865c' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4364666b-xxxx-xxxx-xxxx-47158904c439/resourceGroups/devt002RG/providers/Microsoft.Storage/storageAccounts/devt002/providers/Microsoft.Authorization/roleAssignments/466c9ad5-xxxx-xxxx-xxxx-c0ff4051db14'.
I am the owner on the subscription 4364666b-xxxx-xxxx-xxxx-47158904c439
Note : Working fine when run using cloud shell.
You should have the owner permission of your subscription first, and then login with the service principal through Azure PowerShell. So you can assign the Reader role to your storage account.
I can reappear the error you got and then achieve your purpose. Below is the screenshot of the process:
The error you got:
Get the owner permission of your subscription and then login with the service principal in a new PowerShell session:
Assign the Reader role to your storage account:
There is an exception but the role has created.
Note: When you are in Azure Cloud Shell, then you already login the Azure with your Azure account in default, not the service principal.
I created a bot with the Microsoft Enterprise Bot Template, and now I want to deploy it to Azure. I am following this guide, but I am getting the following error after the following command
Command :
msbot clone services --name "YOUR_BOT_NAME"
--luisAuthoringKey "YOUR_AUTHORING_KEY"
--folder "DeploymentScripts\LOCALE_FOLDER"
-- location "REGION"
Error:
Command failed: az group create -g MyBot -l "region" --subscription KEY
ERROR: The client 'abcd' with object id '679ebaf5-4345-408c-87ef-
9c3bd2795a94' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/write' over scope
'/subscriptions/abcd/resourcegroups/MyBot'.
this means you lack permissions to perform this action, you need to grant your service principal\user permissions (contributor is the easiest way to solve this) to perform that operation. you can grant them on specific resource group or on the subscription.
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
you need to have contributor access on the resource group that you are creating the bot in.
also ensure that Microsoft.BotService is a registered service on the subscription.