I got this error message when I tried to upload the zip file using the fuctionapp deployment command. How can I grant access to the user? I am actually Admin of the resource group.
az functionapp deployment source config-zip -g dt-rg -n dt-function-test --src ProcessHubToDTEvents.zip
(AuthorizationFailed) The client 'XXX#YYYY.com' with object id
'fe90558f-8f13-4e0b-8812-50ac3987ebba' does not have authorization to
perform action 'Microsoft.Web/sites/read' over scope
'/subscriptions/5649ad97-1fd3-460f-b569-9995bbb6c5c0/resourceGroups/dt-rg/providers/Microsoft.Web/sites/dt-function-test'
or the scope is invalid. If access was recently granted, please
refresh your credentials. Code: AuthorizationFailed Message: The
client 'XXX#YYYY.com' with object id
'fe90558f-8f13-4e0b-8812-50ac3987ebba' does not have authorization to
perform action 'Microsoft.Web/sites/read' over scope
'/subscriptions/5649ad97-1fd3-460f-b569-9995bbb6c5c0/resourceGroups/dt-rg/providers/Microsoft.Web/sites/dt-function-test'
or the scope is invalid. If access was recently granted, please
refresh your credentials.
To perform any operations like Create, Update, Deploy or delete on the Function App-level tasks, Contributor role is enough for the user.
Refer to one of my workarounds in Azure Function App deployment using Azure CLI command
az functionapp deployment source config-zip ...
Also, to get more information what roles provides which permissions on Azure Functions App Level, refer to the document provided by Microsoft.
I'm following the instructions here to create an azure static web app from the cloud shell, using the command:
az webapp up --location westindia --name static-webapp-test --html
Getting the following Unauthorized error :
The webapp 'static-webapp-test' doesn't exist Creating Resource group 'anubhav.das_rg_8008' ... Resource group creation complete Creating AppServicePlan 'anubhav.das_asp_4721' ... Operation returned an invalid status 'Unauthorized'
I have seen these type of errors like preventing the user from creation of resources due to role restrictions or access level restrictions in the subscription.
Please check your role (should be owner or contributor or user access administrator) and filters added in the Azure Active Directory.
It is recommended to use the latest version of CLI.
If you are using the older version run the below cmdlet to upgrade the CLI to latest version :
az upgrade --yes
I have followed the steps provided in the given documentation, we are able to create the static web app successfully :
Selected Azure Cloud Shell and given the following settings like my subscription, location, resource group name, storage account name, file share name for working on the cloud shell.
Cloned the git hub project to my azure account as you can see in below screenshot:
Also created another same type of application with the name you have given:
As I can see there is no issue in creation of static html web app though I have existing resource group using for working with cloud shell, it is creating new resource group for the web app purpose by using the given commands in the documentation and working good without any access restriction like authorization as my role belongs to Contributor.
Currently im trying to create dynamic environments via AzureDevops.
One of these steps to achieve this is to take a copy of our production databases and place them in a temp resource group (Production Subscription) and then move the sql server and associated databases to our non-production subscription. From here we then create the web apps and deploy code.
When i run this via Az Cli i am able to move the resources with the following
SQLSERVERID=$(az resource show -g $RSGNAMETEMP -n $SQLSERVERNAME --resource-type "Microsoft.Sql/servers" --query id --output tsv)
az resource move --destination-group $RSGNAME --ids $SQLSERVERID --destination-subscription-id $SANDBOXSUBSCRIPTIONID
However when i run this via AzureDevops i get the following error
ERROR: The client (...) with object id (...) has permission to perform action on scope however, it does not have permission to perform action (...) on the linked scope(s).
I believe this problem is happening when you configure the AZ Cli step in AzureDevops you select the Subscription from the drop down list. The account / service principal only has access rights to that specific subscription and not to multiple. Is it possible to configure a service principal (that can be used in AzureDevops) that can connect to multiple subscriptions?
Yes, just go to Azure portal, navigate to the desired subscription blade, go to Access Control, press + sigh at the top and add your principal as a contributor to the subscription.
to find service principal name use this:
Click Manage link in the Azure Subscription field in your VSTS job, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.
With this reference, https://learn.microsoft.com/en-us/bot-framework/deploy-bot-local-git
I executed command as follows.
$ azure site create --git my-app-name
Then, an error message appeared.
info: Executing command site create
error: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
error: Error information has been recorded to C:\Users\yokoyamt\.azure\azure.err
error: site create command failed
I've tried in another azure account, which I have "power-user", then
A new Resource group was created and the app service was deployed in it.
But in this time, I haven't enough role to create new resource group.
So I guessed If I had specify resource group when I create app via azure-cli.
Can anyone put some light on this?
> az account list --output table
Name CloudName SubscriptionId State IsDefault
-------- ----------- ------------------------------------ ------- -----------
従量課金 AzureCloud my-subscription-id Enabled True
azure site is a classic(asm) mode resource, azure web is a arm mode resource. You should give your account co-admin permission in classic Portal. New Portal does not work on it. Please refer to this question.
According to your description, you want to deploy a web app on Azure. You could use Azure CLI 2.0 to do this. Please refer to this link.
I was trying to invoke data factory pipeline from azure function programmatically. Its throwing following error.
link:
http://eatcodelive.com/2016/02/24/starting-an-azure-data-factory-pipeline-from-c-net/
AuthorizationFailed: The client 'XXXX-XXXXX-XXXX' with object id 'XXX829e05'XXXX-XXXXX' does not have authorization to perform action
'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
'/subscriptions/XXXXXX-4bf5-84c6-3a352XXXXXX/resourcegroups/fffsrg/providers/Microsoft.DataFactory/datafactories/ADFTestFFFS/datapipelines/ADFTutorialPipelineCustom'.
tried to search similar issues, but none of the search result gave me solution to my problem, Can you please guide us what could be the issue?
Objective is to, run data factory pipeline whenever file being added to blob. so to achieve the result we are trying to invoke data factory pipeline from azure function using blob trigger.
Step 1: login to your azure portal
Step 2: find Subscriptions in left side menu bar and click.
step 3: Click on Access Control IAM and then click on Add.
Step 4: In Add Permission window, select contributor for role. In select input box, type the app name you created in Azure AD (Created in Azure Active Directory)and select it. In my case I created Azure Resource Management.
Step 5:After you have given successful permission, click on Refresh in your subscription window and you will see your app showing in the list. See below example.
SEE Common problem when using Azure resource groups & RBAC
https://blogs.msdn.microsoft.com/azure4fun/2016/10/20/common-problem-when-using-azure-resource-groups-rbac/
This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
Root cause
Some admins say, that some resources require access to the subscription level to be able to create these resources and that ‘owner’ rights on a resource group level is not sufficient. That is not true.
Let’s take a step back to understand how this all works first.
To provision any resources in azure (using the resource manager model) you need to have a resource provider that supports the creation of that resource. For example, if you will provision a virtual machine, you need to have a ‘Microsoft.Compute’ resource provider available in the subscription first before you can do that.
Resource providers are registered on the level of the subscription only.
Luckily, the Azure Resource Manager (ARM) is intelligent enough to figure that out for you. When a new Azure resource gets provisioned, if the resource provider required for that resource type is not registered in the subscription yet, ARM will attempt to register it for you. That action (resource provider registration) requires access to the subscription level.
By default, any new azure subscription will be pre-registered with a list of commonly used resource providers. The resource provider for IoTHub for instance, is not one of them.
When a user is granted owner rights only on a specific resource group, if that user tries to provision a resource that requires registering a resource provider for the first time, that operation will fail. That is what happened in our case above when trying to provision IoThub.
So the bottom line is, we DO NOT need to grant access permissions to the subscription level for users to be able to create resources like HDInsight, IotHub and SQLDW …etc within their resource groups that they have owner rights on, as long as the resource providers for these resources is already registered.
You get the error that you are not authorized to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope of pipeline because you don't have the relevant permissions on the datafactory.
You either need to have "Contributor" /"DataFactoryContributor" permissions to create & manage data factory resources or child resources. More details of the azure RBAC roles in the following link:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Since the customer is trying to use the ADF client from inside Azure Function, the recommendation is to use AAD application and service principal for authentication of ADF client. You can find the instructions for creating AAD application and service principal here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
Please follow the instructions on how to create the Active Directory application, service principal, and then assign it to the Data Factory Contributor role in the following link and the code sample for using service principal with ADF client.
We recently had this issue with the same message and found that it was caused by the user being logged in with a different subscription (we have 2). Using az login --subscription resolved the problem for us.
For anyone else running into a similar issue with the same error message - After "az login" I was recieving the same error when attempting to create a resource group as Owner, I solved this with:
az account set --subscription "Azure Subscription 1"
Basically it stems from the subscription not being set, you can find the details here:
https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription
Solution:
Step 1: Register an app in Azure Active directory.
Step 2: Assign 'Data Factory Contributor' role to the same app. we can achieve this by using power shell.
The below code works for me. Please try out in power shell after logged in with Azure credential.
Implementation:
Step 1: $azureAdApplication = New-AzureRmADApplication -DisplayName <AppName> -HomePage <URL> -IdentifierUris <URL with domain> -Password <Password>
Step 2: New-AzureRmRoleAssignment -RoleDefinitionName "Data Factory Contributor" -ServicePrincipalName $azureAdApplication.ApplicationId
Follow this post : https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
In this post , Role is given as "Reader" which should be "Owner" instead otherwise it would give permission error on deployment.
I solved by following this post:
https://www.nwcadence.com/blog/resolving-authorizationfailed-2016
with the command in PowerShell:
Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace | Foreach-Object { Register-AzureRmResourceProvider -ProviderName $_.ProviderNamespace}
I solved by finding the Enterprise Application > Object ID.
(it is weird that it does not use App Reg > Application Id)
https://jeanpaul.cloud/2020/02/03/azure-data-factory-pipeline-execution-error/