Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Devops does not have authorization to perform action Microsoft.Authorization/roleAssignments/write [duplicate]

I am trying to create a Resource Group dynamically using Azure Management SDK Here are my azure configuration details

subscription=<private-data>
client=<private-data>
key=<private-data>
tenant=<private-data>
managementURI=https://management.core.windows.net/
baseURL=https://management.azure.com/
authURL=https://login.windows.net/
graphURL=https://graph.windows.net/

Here is code for creating Resource

// Credentials
AzureCredentials credentials = new AzureCredentialsFactory()
    .FromFile("azureauth.properties");
string resourceName = GetRandomString();

// Create Azure Instance
var azure = Azure
        .Configure()
        .Authenticate(credentials)
        .WithDefaultSubscription();

// Create a Resource Group
azure.ResourceGroups
        .Define(resourceName)
        .WithRegion(Region.USWest)
        .Create();

The error that I got is:

The client 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' with object id 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6/resourcegroups/5oxjhjic'.

I have followed steps specified on https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
As well as I am trying with my Global Administrator account

like image 797
Nilay Avatar asked Jul 15 '18 16:07

Nilay


People also ask

How do I assign aplication permissions to Azure Active Directory clients?

1 Search on Azure Active Directory for the client GUID or object id present in the error message. This will give you the aplication you should select to assign access to on the Add Permission screen as shown in the answer prints. – Ulysses Alves Mar 16 at 19:04 | Show 3more comments 8

Is contributor enough to grant access to Azure AD?

Contributor will not be enough. Even owner may not potentially be enough as Azure access is different then Azure Active Directory access since you are trying to write to Azure AD to grant the permissions. Does this answer your question? Deployment of ARM: Authorization failed for template resource 'sql

How to authenticate ADF client from inside Azure function?

Since the customer is trying to use the ADF client from inside Azure Function, the recommendation is to use AAD application and service principal for authentication of ADF client. You can find the instructions for creating AAD application and service principal here:

Why can't I clone a repo from Azure DevOps?

To resolve this, first check whether you have got access to the Azure DevOps Organization by checking via Web portal and In case if you are trying to clone a Repo from Azure DevOps check with your Administrator when you have got the required access to Clone the repositories (You should be having basic access to Clone the repos).


1 Answers

you cant be trying with global administrator, obviously. you need to go to you subscription and grant objectid 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' contributor permissions (easy way) or create a custom role (or figure predefined role) that meets your needs.

you can use portal to do that or azure powershell:

New-AzRoleAssignment -ObjectId 'ae8bc2ea-9680-4f66-934c-ad40b82c30ac' -Scope '/subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6' -RoleDefinitionName contributor

the equivalent Azure CLI command is:

az role assignment create --assignee-object-id ae8bc2ea-9680-4f66-934c-ad40b82c30ac --scope subscriptions/e9d61100-a82a-48ca-b6f8-51b06a1eebe6 --role contributor
like image 171
4c74356b41 Avatar answered Oct 13 '22 01:10

4c74356b41