I've acquired one of the Microsoft templates for CI/CD using: Jenkins, Docker (ACS), Kubernetes (AKS). This template comes with a pipeline example, but when trying to start it I present the following error trying to do the integration with Azure Kubernetes (AKS):
Starting Azure Container Service / Kubernetes Service Deployment
Delete Kubernetes management config file
/var/lib/jenkins/workspace/hello-world/kubeconfig-7112538207763465492
ERROR: ERROR: Status code 403, {"error":
{"code":"AuthorizationFailed","message":"The client '7912b768-a178-4996-
b6e6-38912a9b90da' with object id '7912b768-a178-4996-b6e6-38912a9b90da'
does not have authorization to perform action
'Microsoft.ContainerService/managedClusters/accessProfiles
/listCredential/action' over scope '/subscriptions/4e601d44-4d18-4e49-
95001793e668f9e0/resourcegroups/SystemBackend_Resource/
providers/Microsoft.ContainerService/managedClusters/aksa5ru5sgbdaum2/
accessProfiles/clusterAdmin'."}}
Any idea?
the error says it all, the client (credentials) you are using to access the AKS cluster does not have permissions to use the listCredentials action over that cluster. You need to grant that client those permissions. Easiest way grant contributor rights to 7912b768-a178-4996-b6e6-38912a9b90da to the SystemBackend_Resource resource group.
New-AzureRmRoleAssignment -ObjectId 7912b768-a178-4996-b6e6-38912a9b90da `
-RoleDefinitionName "Contributor" `
-Scope '/subscriptions/4e601d44-4d18-4e49-95001793e668f9e0/resourcegroups/SystemBackend_Resource/'
you can obviously grant only that permission to that entity using custom roles, but this is just an example
Related
I have an Azure subscription with ACR and App Configuration services.
I am implementing a pipeline that access Azure through DevOps Service Connection that has Contributor role for both resources. However, using Az Client task pipeline cannot see or access those resources.
If I execute "az resources list" I don't see those resources even though Service Connection has access to them.
I have the same setup working on my personal subscription. What am I missing?
Tried to reproduce same scenario in my personal subscription and it worked with the same level of access for Service Connection.
Also it works in PowerShell console with a user account with the same permissions.
I got this error message when I tried to upload the zip file using the fuctionapp deployment command. How can I grant access to the user? I am actually Admin of the resource group.
az functionapp deployment source config-zip -g dt-rg -n dt-function-test --src ProcessHubToDTEvents.zip
(AuthorizationFailed) The client 'XXX#YYYY.com' with object id
'fe90558f-8f13-4e0b-8812-50ac3987ebba' does not have authorization to
perform action 'Microsoft.Web/sites/read' over scope
'/subscriptions/5649ad97-1fd3-460f-b569-9995bbb6c5c0/resourceGroups/dt-rg/providers/Microsoft.Web/sites/dt-function-test'
or the scope is invalid. If access was recently granted, please
refresh your credentials. Code: AuthorizationFailed Message: The
client 'XXX#YYYY.com' with object id
'fe90558f-8f13-4e0b-8812-50ac3987ebba' does not have authorization to
perform action 'Microsoft.Web/sites/read' over scope
'/subscriptions/5649ad97-1fd3-460f-b569-9995bbb6c5c0/resourceGroups/dt-rg/providers/Microsoft.Web/sites/dt-function-test'
or the scope is invalid. If access was recently granted, please
refresh your credentials.
To perform any operations like Create, Update, Deploy or delete on the Function App-level tasks, Contributor role is enough for the user.
Refer to one of my workarounds in Azure Function App deployment using Azure CLI command
az functionapp deployment source config-zip ...
Also, to get more information what roles provides which permissions on Azure Functions App Level, refer to the document provided by Microsoft.
I have created an Azure Container Registry.
I have an Azure DevOps project.
I have created an Azure DevOps Pipeline using the wizard so
that it uses the standard template to build and push a Docker image.
When validating the Pipeline the following error is thrown:
Failed to set Azure permission 'RoleAssignmentId: ****' for the service principal '****' on subscription ID '****': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client '****' with object id '****' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/****/resourceGroups/****/providers/Microsoft.ContainerRegistry/registries/****/providers/Microsoft.Authorization/roleAssignments/****' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
What configuration could I be missing? The documentation for this is all very sparse and written as though it should all just work.
Thanks
You need to add AcrPull permission to service principal you used here. Please got to you ACR and add it.
Here you have id of you service principal:
Failed to set Azure permission 'RoleAssignmentId: ' for the service principal ''
Also please check also networking on ACR if it blocks you or not.
To build and push your Docker image in Azure pipeline, you need follow the steps below:
Navigate to Project Settings > Service connections to create a Docker Registry service connection that can connect to your ACR.
In the pipeline, add the Docker task to build and push your Docker image to ACR.
Yours service principal on service connection is missing permissions link to documentation https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli. You can use custom role or build like contributor on resource group level. Example of custom role and allowed actions "Microsoft.ContainerRegistry/registries/push/write",
I created a bot with the Microsoft Enterprise Bot Template, and now I want to deploy it to Azure. I am following this guide, but I am getting the following error after the following command
Command :
msbot clone services --name "YOUR_BOT_NAME"
--luisAuthoringKey "YOUR_AUTHORING_KEY"
--folder "DeploymentScripts\LOCALE_FOLDER"
-- location "REGION"
Error:
Command failed: az group create -g MyBot -l "region" --subscription KEY
ERROR: The client 'abcd' with object id '679ebaf5-4345-408c-87ef-
9c3bd2795a94' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/write' over scope
'/subscriptions/abcd/resourcegroups/MyBot'.
this means you lack permissions to perform this action, you need to grant your service principal\user permissions (contributor is the easiest way to solve this) to perform that operation. you can grant them on specific resource group or on the subscription.
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
you need to have contributor access on the resource group that you are creating the bot in.
also ensure that Microsoft.BotService is a registered service on the subscription.
I was following the steps in this Microsoft tutorial:
https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr#container-registry-login
I've created a resource group, and then an azure container registry with "az acr create". The next step is to login to the registry, but I keep getting this error:
Error response from daemon: Get https://azurereg.azurecr.io/v2/: Service Unavailable
Any ideas?
In order to access ACR from AKS, you can use the underlying service principal. That said, you've to create a role assignment for the Service Principal as mentioned in this paragraph https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks?toc=%2fazure%2faks%2ftoc.json#grant-aks-access-to-acr
Creating a role assignment for role Reader currently doesn't work. You've to create the assignment for the Owner role. (described in https://github.com/Azure/AKS/issues/76).
Keep in mind that K8s caches the token for a couple of minutes. It took 3-5 minutes on my cluster to work.