I hope somebody can guide me with this issue. I do not have issues deploying resources via the web interface. This time I am trying to automatize my infrastructure and I am deploying via ARM. All the resources for the Service Fabric cluster I am trying to create are deployed with no issue, except for the VMSS which throws me this error:
{
"status": "Failed",
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client has permission to perform action 'Microsoft.KeyVault/vaults/deploy/action' on scope '/subscriptions/xxxxxx/resourcegroups/AllyStage-v2/providers/Microsoft.Compute/virtualMachineScaleSets/StageNode', however the linked subscription 'xxxxx' was not found. "
}
}
Thanks.
It would have helped to look at the ARM template that you're trying to deploy. However, I suspect the problem is that the resource ID for a resource or subscription isn't resolving correctly. Here is a similar issue from the past.
Also, if you are deploying the ARM template from within another bash/PowerShell script, I suggest you ensure that you have the correct context/subscription set before initiating the template deployment, and verify the scope of permissions of the principal performing the deployment.
Related
I have a silly question.
I am trying to deploy an azure web app using terraform. I have a task to build the code and drop it as a artefact, this works just fine. So I moved to the release process as follow
My code has a backend configuration in which I am saving my terraform.tfstate to be able to access this I create a azure resource manager service principle
Now this works just perfectly for all my stages. I am able to create the resource group and the web app, and the terraform.tfstate get saved in the container which is under the azure resource manager
But here is my problem. If I update my code local and push it to GitHub the pipeline builds the artefact and the release triggers, but at the plan stage it fails with the following error.
reading resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/XXXX/resourcegroups/rg-hri-stg-eur-configurations' or the scope is invalid. If access was recently granted, please refresh your credentials."[0m
I do understand that once the resource group exists, I don't have permission to perform any action on it, such as plan, apply or Destroy.
I was wondering how can I set a azure resource manager for those pipeline to access this specific resource group once it has been created?
Thank you very much for any advice or help you can provide me with.
I found the issue. A silly one to be honest. My ARM resource was target a specific resource group(the one in which I keep my terraform states), so it was not working when trying to update a resource. I change the scope of the ARM resource to subscription level and everything works fine now. Thank you so much for your help guys
I have a new vm, Operating system Windows (Windows Server 2016 Datacenter).
When I try to enable backup and select new Recovery Service Vault, I get deployment error:
Deployment to resource group test failed.
Additional details from the underlying API that might be helpful: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
Resource
vault242/Azure/iaasvmcontainer;iaasvmcontainerv2;test;web01/vm;iaasvmcontainerv2;test;web01
Type
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems
Status
Conflict
Status message
{
"status": "Failed",
"error": {
"code": "BMSUserErrorContainerObjectNotFound",
"message": "Item not found"
}
}
Can't find any information for code BMSUserErrorContainerObjectNotFound and why a protected item not created automatically
My apologies for the delay in the response.
Were you able to resolve the issue?
If not, let's review it.
As I understood, you are enabling the Azure VM Back Up by following the next steps:
There could be multiple reasons why you are getting this failure.
Did you perform these steps manually using the Azure Portal? Template deployment? Scripting? I suspect most likely you are doing the template deployment or any kind of scripting and this one is the syntax issue.
Second thought, it was the transmitted issue due to the load of request on the Azure end. In this case, you need to retry the operation.
Additional question to ask, do you get the failure on one specific machine or all machines? Specific region?
Do you get the same failure when you use the existing vault?
If you still can provide information above, it's going to be helpful to narrow down the root cause.
I ran into this error as well today and I think it is is a Azure portal bug when enabling the Backup from the VM blade.
Instead, you can initiate a Backup from the "Recovery Services vaults" blade and add the VM to it.
I have created an ARM template for my logic app which has azure function reference in it.
By the time when I was deploying the logic app in my old subscription, I was able to deploy the ARM template using power shell successfully,
The problem started when I needed to deploy the app in different subscription.
While I deployed my logic app on different subscription which was pointing to the azure functions which still existed in my old subscription, I got this error.
{
"code": "LinkedAuthorizationFailed",
"message": "The client has permission to perform action 'Microsoft.Web/sites/functions/listSecrets/action' on scope '/subscriptions/(newsubscription Id)/resourcegroups/(new resourcegroup under new subscription)/providers/Microsoft.Logic/workflows/my-logic-app-name', however the current tenant '(tenent id of new subscription)' is not authorized to access linked subscription '(old subscription id)'."
}
Can anyone suggest how can I deal with this issue?
What I suspect is the new subscription needs to get access over old subscription for accessing azure function lying in there. What can be done in this case?
I have a release setup that I'm trying get out through Azure Devops release pipelines. This is based on another release that I've cloned and works fine.
The issue is that the template is failing a validation check and not going any further. Strange thing is i'm able to check the syntax successfully with new-AzResourceGroupDeployment and test-AzResourceGroupDeployment. It reports no errors and has been deploying fine.
Using Azure Devops release the error coming back is:
2020-02-26T12:26:16.2632844Z ==============================================================================
2020-02-26T12:26:16.2633634Z Task : ARM template deployment
2020-02-26T12:26:16.2634204Z Description : Deploy an Azure Resource Manager (ARM) template to all the deployment scopes
2020-02-26T12:26:16.2634534Z Version : 3.1.19
2020-02-26T12:26:16.2634945Z Author : Microsoft Corporation
2020-02-26T12:26:16.2635504Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment
2020-02-26T12:26:16.2635948Z ==============================================================================
2020-02-26T12:26:16.8677026Z ARM Service Conection deployment scope - Subscription
2020-02-26T12:26:16.8760315Z Checking if the following resource group exists: myResourceGroup.
2020-02-26T12:26:17.2234188Z Resource group exists: true.
2020-02-26T12:26:17.2259290Z Creating deployment parameters.
2020-02-26T12:26:17.2558066Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\azuredeploy.json' is 'utf-8'
2020-02-26T12:26:17.2561303Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\param.dev.json' is 'utf-8'
2020-02-26T12:26:17.5304032Z Starting template validation.
2020-02-26T12:26:17.5304834Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.5877973Z ##[warning]Validation errors were found in the Azure Resource Manager template. This can potentially cause template deployment to fail. Template validation failed. Error: {"message":"No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/mySubscription/resourcegroups/myResourceGroup/providers/Microsoft.Resources/deployments/Release-vstfs:/ReleaseManagement/Release/95/validate?api-version=2017-05-10'."}.. Please follow https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax
2020-02-26T12:26:17.5890527Z Starting Deployment.
2020-02-26T12:26:17.5891348Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.6289831Z There were errors in your deployment. Error code: undefined.
2020-02-26T12:26:17.6291819Z ##[error][object Object]
2020-02-26T12:26:17.6295387Z ##[error]Task failed while creating or updating the template deployment.
2020-02-26T12:26:17.6399260Z ##[section]Finishing: ARM Template deployment: Resource Group scope
​Looking the log above, I'm not sure if it's failing on the validation errors or on the error near the end with a undefined error code.
The task is from another subscription and it's listed in the Azure Resource Manager connection on the task and also lists the subscription and the resource groups in the subscription.
Anyone any ideas on how I can get this working or where to start troubleshooting?
your deployment name is:
Release-vstfs:/ReleaseManagement/Release/95
fairly certain that's not allowed (/). so you need to set your deployment name to something reasonable.
ps. : might not be allowed as well
Did you look at the Activity Log in Azure portal?
All deployment attempts are logged here. Look in particular at the JSON pane, often the real issue is only displayed here.
Otherwise, if it doesn't reach Azure, can you double check the service connection in Azure DevOps? (in particular the related user permission in Azure)
An ARM template is being deployed via a Azure Resource Deployment task in Azure Devops (VSTS) Release Management. All resources seem to get created successfully as far as I can see, however there are a few errors which cause the pipeline to fail.
2018-09-12T18:13:39.9155529Z ##[error]Details:
2018-09-12T18:13:39.9156550Z ##[error]BadRequest: {
"code": "BadRequest",
"message": "{\"code\":\"BadRequest\",\"message\":\"Bad Request\",\"innererror\":{\"diagnosticcontext\":\"ef9a7ad4-440f-4786-b1dc-5cbfdee6a964\",\"time\":\"2018-09-12T18:05:15.9905958Z\"}}"
} undefined
It is difficult to see which resource in the ARM template causes this. Can anyone point out anything which might help determine the cause of the problem?