Cannot create Azure AKS cluster: CreateRoleAssignmentError - azure

I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:
RoleAssignmentReconciler retry timed out: autorest/azure: Service
returned an error. Status=403 Code="AuthorizationFailed" Message="The
client 'foo' with object id 'foo' does not have authorization to
perform action 'Microsoft.Authorization/roleAssignments/write' over
scope
'/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az
Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.
Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:
The credentials in ServicePrincipalProfile were invalid. Please see
https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh
request failed. Status Code = '400'. Response body:
{"error":"unauthorized_client","error_description":"AADSTS700016:
Application with identifier 'foo' was
not found in the directory 'bar'.
This can happen if the application has not been installed by the
administrator of the tenant or consented to by any user in the tenant.
You may have sent your authentication request to the wrong
tenant.\r\nTrace ID:
9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID:
bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13
15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13
15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})
I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?

as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:
I have an AKS template that needs contributor role to work + this custom role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
AKS clusters created by code using this role + contributor are fully functional.
User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.

In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.
Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.

Related

The client '87c92100-.....' with object id '87c92100....' does not have authorization to perform action

Rukmini, the SP has contributor role on the subscription not sure why it is erroring and it worked after ading it in a Reader role?
Here is a snapshot
I am trying some operations from az cli(terraform commands) getting the following error:
The client '87c92100-.....' with object id '87c92100....' does not
have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope
'/subscriptions/f151ee3f-4725-......../resourcegroups/tfmainrg' or the
scope is invalid
I searched everywhere, RG, AAD, storage account....not able to find where this object or client resdes. Can you please tell me how can I find what object is this? Thanks
I tried to reproduce the same in my environment and got the same error as below:
The error "Authorization Failed" usually occurs if the user does not have access/role to read the resource group.
To resolve the error, make sure to assign Reader role to the user in the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your subscription -> Access control (IAM) -> Add role assignment -> Select Reader
You can also use az cli to assign the Reader role to the user by using below command:
The Owner or User administrator role is required to assign any role.
So, use another tenant level Owner to assign the role.
az role assignment create --assignee-object-id UserObjectID --scope subscriptions/SubscriptionID --role reader
The reader role successfully granted to the user like below:
After assigning the role, I am able to read the resource group successfully:
az group show -n ResourceGroupName
Based on your further requirement you can assign the roles by referring to the below MsDoc:
Azure built-in roles - Azure RBAC

AuthorizationFailed while using AZ CLI

Today I have tried to perform action on Azur ADF using CLI (Portal for that subscription can be only used as "read") AZ CLI is installed on AZ VM that via Managed identity has received Contributor role on the whole subscription. Running command ended with AuthorizationFailed.
After logging into AZ CLI with AZ login -i
and running command az datafactory configure-factory-repo
(AuthorizationFailed) The client 'CLIENT_ID' with object id
'CLIENT_ID' does not have authorization to perform action
'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid.
If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed Message: The client 'CLIENT_ID'
with object id 'CLIENT_ID' does not have authorization to
perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid. If access
was recently granted, please refresh your credentials.
I have checked and VM Contributor role has Microsoft.DataFactory/locations/configureFactoryRepo/action
What else I should check?(I have no access to AZ AD)
Edit:
CLIENT_ID is equal to principalId of VM from which I'm running commands.
I assume that the CLIENT_ID and SUBSCRIPTION_ID actually are real values and you have replaced them to not disclose the here, correct?
To be sure that you are in the correct context you could first issue 'az account show' after you logged in using 'az login -i'. Is the response to that what you expected?
-- Edit --
The client ID should be the client id of the managed identity, also sometimes referred to as App ID (same thing). So when you log in with -i I believe it should be the same output as when you do the az account show. So that's a good thing.
Then I kind of get the feeling that it is a scope error. It looks a lot like you run in to this and it's by design as of now. But have a look at lmicverm's comment. You might use the the other call (Create or update Factory) as a workaround?

The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write'

I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1

Can Azure Service Principal Update Its Own Passwords?

I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
Login to azure portal
Click on azure active directory
App registrations
Select you application
API Permission
Add Permission
Microsoft Graph
Application permission
In Directory select Directory.Read.All
In Application select Application.ReadWrite.All
Add Permission
Grant admin consent for YourTennant
See the screen shot below:
Note: You also need to have at least Contributor directory role on that application. As the Contributor can create and manage all types of
Azure resources but can’t grant access to others.

Add AAD application as a member of a security group

I'm trying to enable service to service auth using AAD tokens. My plan is to validate "groups" claim in the token to make sure the caller is a member of a security group that we created.
For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.
I use AAD app to issue the tokens (not a user), so I need that app to be a member of the security group. Azure AD powershell doesn't seem to accept application ids as group members. How to solve this? are there any other recommended patterns when the caller is another AAD app?
Command used:
https://learn.microsoft.com/en-us/powershell/module/azuread/Add-AzureADGroupMember?view=azureadps-2.0
Error:
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: An invalid operation was included in the following modified references: 'members'.
RequestId: 0441a156-3a34-484b-83d7-a7863d14654e
DateTimeStamp: Mon, 11 Dec 2017 21:50:41 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Add-AzureADGroupMember -ObjectId "9c2cdf89-b8d6-4fb9-9116-7749adec85c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember
Unfortunately, you cannot add an application as a member of Azure AD group.
Though the official document for the Powershell cmdlet Add-AzureADGroupMember doesn't make clear you cannot use Application's ObjectId as the RefObjectId, absolutely you cannot use it.
You cannot add an application as a member of Azure AD group neither.
For example, we will create group1 for readers and group2 for writers.
Then based on "groups" claim, I will figure out the right access
level.
For your scenario, I'm afraid that you couldn't achieve this for now. I understand why you need this. According to your request, my thought is assigning your application from Enterprise Application to Groups or users and manger users with different access rights. However, you cannot choose more roles for the selected group. The only one role is default access If want to define more roles for the app, you can refer to this documentation.
I also tried to use Azure AD RBAC and create new conditional access for my test app,but all don't have read only this choice.
You can also put your idea in Azure Feedback Forum, azure team will see it. Also, I will upvote your idea.
Update:
Currently, you can add a service principal to an AAD Group:
Example:
$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"
$group = Get-AzureADGroup -SearchString "yourGroupName"
Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)
Updated 2:
Recently, I also see lots of users want to assign roles to a service principal to let the service principal have some permissions to access to the app with a role.
I want to make clear here. Role-based authorized should be used for users, NOT applications. And it's not designed for applications. If you want to give some different permissions you may consider to assign application permissions to your service principal instead.
You can expose your Web App/API with application permissions by editing the Manifest in app registrations.
You can go to Azure portal > Azure Active Directory > App registrations > Select your App > Manifest.
In appRoles, you can insert content like this:
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Access to the settings data",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"description": "Administrators can access to the settings data in their tenant",
"value": "Settingsdata.ReadWrite.All"
},
Then, you can go another app registration you want to give permission > Settings > require permissions > Add > Search the application name you want to access > Choose the application permission you created before.
Therefore, your sp can obtain a token with that application permissions in token claims.
Also, for authorization from the resource, you need to add code logic to give control policy for that token with Settingsdata.ReadWrite.All claim.
Update 3
Currently, you can add the service principal to one AAD Group directly in Azure portal:
Following Update 3 in the answer of #Wayne Yang, I've successfully implemented this using C# and the MS Graph SDK.
But I think the same should be possible using Powershell and simple REST API calls.
// create new application registration
var app = new Application
{
DisplayName = principal.DisplayName,
Description = principal.Description,
};
app = await _graphClient.Applications.Request().AddAsync(app);
// create new service Principal based on newly created application
var servicePrincipal = new ServicePrincipal
{
AppId = app.AppId
};
// add service principal
servicePrincipal = await _graphClient.ServicePrincipals.Request().AddAsync(servicePrincipal);
// add service principal to existing security group
await _graphClient.Groups[groupId].Members.References.Request().AddAsync(servicePrincipal);

Resources