I can't create an Azure Batch service. I keep getting error: "Please assign Contributor role to "MicrosoftAzureBatch" service principal through your Subscription's Access control (IAM) blade." even after adding it to my subscription Access control (IAM):
We could get the detail steps about how to Create a Batch account with the Azure portal from azure officail document. It is odd that you can not create the service that if you have assigned the Contributor role.
If it is still not working for you, please have a try to create a Batch account. As the document mentioned that user subscription mode which is no longer recommended for most scenarios.
When creating a Batch account, you should generally choose the default Batch service mode, in which pools are allocated behind the scenes in Azure-managed subscriptions. In the alternative user subscription mode, which is no longer recommended for most scenarios, Batch VMs and other resources are created directly in your subscription when a pool is created. To create a Batch account in user subscription mode, you must also register your subscription with Azure Batch, and associate the account with an Azure Key Vault.
I've already fixed the problem. It seems there was a permissions issue, and the error message was not clarifying at all, though. I've been able to create Azure Batch service logging into Azure portal with the subscription owner account, instead of mine's.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I have connected my azure account in Data Studio and I am using Azure SQL migration extension (v0.1.12) to migrate on-prem SQL to Azure Managed Instance.
However my subscription details are not getting fetched.
Screen Shot Attached Here
When I manually add Azure Subscription details I am getting following error
Manually Entered Details
And the error message Error
The issue seems to be more of access level issues.
Below are the type of access levels that you need to have for creating Azure Migrate Appliance project
Contributor or Owner permissions in the Azure subscription.
Permissions to register Azure Active Directory (Azure AD) apps.
Owner or Contributor and User Access Administrator permissions in the Azure subscription to create an instance of Azure Key Vault, which is used during agentless server migration.
Below are the steps to set contributor or Owner permissions
From Azure Subscriptions panel select the subscription
Move to Access Control IAM and select Add role Assignment
Assign the following roles.
For complete information check the Microsoft Document on providing access.
In Azure DevOps, I have created a service connection (type: Azure Resource Manager) to be able to upload files to Azure Blob Storage.
Then I have added the Storage Blob Data Contributor role for this service principal under Access Control (IAM) in my Azure Storage account by searching for the service principal's name under Select.
I have noticed that each time I create a new DevOps pipeline that uses the (same) service connection, I need to add the Storage Blob Data Contributor role again because under Select, there are then multiple items with the same (service principal's) name. It's not clear why there are multiple items and it's also unclear which one is the newest, such that I am just adding all items as a workaround.
Is there anything that I am missing to avoid ending up with dozens of items to select when assigning roles for a new pipeline that uses the same service connection?
As design, one service connection map to one single service principal.
You issue mostly like you did not ever assign the actual service principal id to that service connection while you configure it. When the system finds there is no principal there, it will automatically create one for it in azure.
Please give the full parameters value there, including service principal id and secret, when you create the service connection.
Then you can just grant the permission to the currently used service principal.
I'd like to create a service principle to allow deployments to one or more of my resources under my subscription.
I have an MSDN subscription allowing me £40 a month on Azure.
The Azure Active Directory is maintained by my company.
I am set as a general user
I've already created a service principle with a key via the portal.
When I try to connect via the SP from Octopus Deploy I get the below message:
Unable to verify Azure Account: The client 'xxxx' with object id
'xxxx' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope
'/subscriptions/xxxx'.
As I now understand it, an SP sits at tenant level. So does this mean that I likely don't have any permissions to create an SP with the proper access to do what I need and I'll have to get an Admin to do it?
I'm struggling to understand this authentication method tbh. So any information to help clarify how this all fits together would be very much appreciated.
e.g.
Can I limit an SP to just my MSDN subscription?
Can I even limit it to resource groups / resources?
...
In terms of permissions Service Principal doesnt differ from a regular user. Your service principal doesnt have access to that particular subscription. You need to grant those rights to the service principal. You can use portal\powershell\cli\SDK to do that. Sample link.
I'm using "MSDN Platforms" and "Developer Program Benefit" subscriptions.
I'm unable to access to create resource groups and services in certain locations on a selected subscription either through azure portal or Azure Powershell. Sometimes getting exceptions on quota limits.
How do I check applied policies and/or the user limits on a subscription?
Asking because of the subscription limitations I got error message in the following scenario
Created availability set in southindia location
Trying to deploy a VM in the same location.
How do I check applied policies and/or the user limits on a
subscription?
You could check it on Azure Portal. <your subscription>-->Usage + quotas.
If you reach your subscription limit, you could create a ticket to raise the limit, please refer to this link.
Also, you need check your user's role, if you want to create resources in Azure, I suggest you select Owner or Contributor role. Please refer to this link.
Note: In this link I provide, the application name is your user name.