I deployed infrastructure using this repo. The logs of my application gateway pod looks like :
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."
This issue is similar to mine. and i run :
az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev
and the permission was added successfully:
But the error mentioned in application gateway logs, still present.
Not sure what is the cause ? Any pointers would be helpful
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning'reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw keyvault-kubota-dev' or the linked scope(s) are invalid."
According the above error, the linked scope is invalid.
You have given the incorrect scope id in your existing Azure CLI command. Thus, you will have to execute the commands with correct scope ID and only then you will be able to configure the application gateway with the permission of "Managed identity operator role". Ensure that the below scope for your environment is mentioned in your Azure CLI command and it is executed once again for the correct scope permission to be valid.
Correct scope: -
/subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw-keyvault-kubota-dev ’
Reference:
application-gateway-kubernetes-ingress/appgw-ssl-certificate.md at master · Azure/application-gateway-kubernetes-ingress (github.com)
Related
I have an Azure DevOps pipeline that is using the task AzureFunctionApp#1 to deploy a function app.
The pipeline is using a Service Connection with a principal called devops-intg-nurseryfees-nonprod. If I check the IAM blade for the resource group of the function app, I can see that the principal has a Current role assignment of a custom role that contains an action of Microsoft.Web/sites/*
However, when the devops task runs, I get the following error:
Failed to fetch App Service 'func-nurseryFees-dev-001' details. Error: The client 'svc-principal-guid' with object id 'svc-principal-guid' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/subscription-guid/resourceGroups/rg-nurseryFees-dev-001/providers/Microsoft.Web/sites/func-nurseryFees-dev-001' or the scope is invalid. If access was recently granted, please refresh your credentials. (CODE: 403)
Any ideas?
The error message gave two possible causes. I'd focused on the 1st, does not have auth but it turned out the problem was "the scope is invalid".
There was a typo in the name of the resource group.
Note, the "true" scope string of a function app can be found in the Azure portal by clicking the "JSON View" link in the top-right of the overview page:
Today I have tried to perform action on Azur ADF using CLI (Portal for that subscription can be only used as "read") AZ CLI is installed on AZ VM that via Managed identity has received Contributor role on the whole subscription. Running command ended with AuthorizationFailed.
After logging into AZ CLI with AZ login -i
and running command az datafactory configure-factory-repo
(AuthorizationFailed) The client 'CLIENT_ID' with object id
'CLIENT_ID' does not have authorization to perform action
'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid.
If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed Message: The client 'CLIENT_ID'
with object id 'CLIENT_ID' does not have authorization to
perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid. If access
was recently granted, please refresh your credentials.
I have checked and VM Contributor role has Microsoft.DataFactory/locations/configureFactoryRepo/action
What else I should check?(I have no access to AZ AD)
Edit:
CLIENT_ID is equal to principalId of VM from which I'm running commands.
I assume that the CLIENT_ID and SUBSCRIPTION_ID actually are real values and you have replaced them to not disclose the here, correct?
To be sure that you are in the correct context you could first issue 'az account show' after you logged in using 'az login -i'. Is the response to that what you expected?
-- Edit --
The client ID should be the client id of the managed identity, also sometimes referred to as App ID (same thing). So when you log in with -i I believe it should be the same output as when you do the az account show. So that's a good thing.
Then I kind of get the feeling that it is a scope error. It looks a lot like you run in to this and it's by design as of now. But have a look at lmicverm's comment. You might use the the other call (Create or update Factory) as a workaround?
I am trying to run a simple workflow using terraform within GitHub Actions workflow using the below article, but am receiving an error.
Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxxxx": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/\*\*\*/resourceGroups/XXXXXX/providers/Microsoft.Storage/storageAccounts/xxxx/listKeys?api-version=2016-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS90002: Tenant '***' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace
Can someone guide me on what am I missing here? I am very new to this and this is my first project.
How are you authenticating against Azure with the azurerm Terraform provider?
We normally use these ENV variables for GitHub Actions or Azure DevOps Pipelines:
export ARM_SUBSCRIPTION_ID=VALUE
export ARM_TENANT_ID=VALUE
export ARM_CLIENT_ID=VALUE
export ARM_CLIENT_SECRET=VALUE
I am trying to deploy an ARM template for ADF using Azure DevOps CI/CD
The deployment was successful but while trying to test the linked services, I am not able to connect successfully.
The linked service is to get connected to the ADLS location under same subscription and the authentication method is using service principal and using key vault secret name to get the connection.
key vault is also under the same subscription and resource group.
While trying to connect the LS to ADLS location I am getting the below error.
Failed to get access token by using service principal. Error: invalid_client, Error Message: AADSTS7000215: Invalid client secret is provided.
Trace ID: 67d0e882-****-****-****-***6a0001
Correlation ID: 39051de7-****-****-****-****6402db04
Timestamp: 2020-11-** **:**:**Z Response status code does not indicate success: 401 (Unauthorized). {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 67d0e882-****-****-****-***6a0001\r\nCorrelation ID: 39051de7-****-****-****-****6402db04\r\nTimestamp: 2020-11-** **:**:**Z","error_codes":[7000215],"timestamp":"2020-11-** **:**:**Z","trace_id":"67d0e882-****-****-****-***6a0001","correlation_id":"39051de7-****-****-****-****6402db04","error_uri":"https://login.microsoftonline.com/error?code=7000215"}: Unknown error .
AADSTS7000215: Invalid client secret is provided.
The linked services which is to connect clusters are working fine for which connection secrets are stored in the same key vault.
I was confused some secrets(for cluster connection) in the same key vault is working and few (for adls connection) are not working.
Had a check for the application under same principal id in Azure active directory and secret is valid till 2022.
Any Idea about the root cause of the error and how to resolve the issue?
I have encountered a similar problem before, you need to make sure that the client secret belongs to the application you are using, or you can also try to create a new client secret, it should work for you.
I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:
RoleAssignmentReconciler retry timed out: autorest/azure: Service
returned an error. Status=403 Code="AuthorizationFailed" Message="The
client 'foo' with object id 'foo' does not have authorization to
perform action 'Microsoft.Authorization/roleAssignments/write' over
scope
'/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az
Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.
Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:
The credentials in ServicePrincipalProfile were invalid. Please see
https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh
request failed. Status Code = '400'. Response body:
{"error":"unauthorized_client","error_description":"AADSTS700016:
Application with identifier 'foo' was
not found in the directory 'bar'.
This can happen if the application has not been installed by the
administrator of the tenant or consented to by any user in the tenant.
You may have sent your authentication request to the wrong
tenant.\r\nTrace ID:
9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID:
bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13
15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13
15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})
I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?
as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:
I have an AKS template that needs contributor role to work + this custom role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
AKS clusters created by code using this role + contributor are fully functional.
User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.
In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.
Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.