question

RamnathMuralidhar-8858 avatar image
0 Votes"
RamnathMuralidhar-8858 asked prmanhas-MSFT commented

Resource Manager Template with Azure Registry Credential using login credential

I have written a JSON script MyContainer.json, using Resource Manager Template to deploy a container.
The specified Registry credentials in the script as given below.

 "imageRegistryCredentials": [ 
 {
 "server": "myregistry.azurecr.io", 
 "username": "myaccount@mytenant.onmicrosoft.com",
 "password": "XYZ"
 }

We wrote this JSON script as specified in the link https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files

We have also disabled the access key for the Azure registry for admin user as shown in the image RegDisAccKey.png

25592-regdisacckey.png

We deploy this JSON file to create the container with the given below command.
az deployment group create --resource-group MyResource --template-file MyContainer.json --debug

I am getting the following below error, as AutherizationFailed.

cli.azure.cli.core.util : Azure Error: AuthorizationFailed
Message: The client 'myaccount@mytenant.onmicrosoft.com' with object id 'b13d6d27-0359-4ba3-88b1-5c1c5a4ff6bb' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/ABCD-EFGH-IJKL/resourcegroups/MyResource/providers/Microsoft.Resources/deployments/MyContainer' or the scope is invalid. If access was recently granted, please refresh your credentials.
Azure Error: AuthorizationFailed
Message: The client 'myaccount@mytenant.onmicrosoft.com' with object id 'b13d6d27-0359-4ba3-88b1-5c1c5a4ff6bb' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/ABCD-EFGH-IJKL/resourcegroups/MyResource/providers/Microsoft.Resources/deployments/MyContainer' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have also attached the complete debug error of the failure in azdeperr.txt

25565-azdeperr.txt

How do I create a container using RMT without specifying the Access Key of the Admin User and just be using my Azure login credentials? Is there any special authorization I need in order to successfully run and deply the container?


azure-container-instances
regdisacckey.png (9.9 KiB)
azdeperr.txt (11.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RamnathMuralidhar-8858 Any update on the issue?

If the suggested response helped you resolve your issue, do click on "Mark as Answer" for the answer that helped you for benefit of the community.

Thanks.



0 Votes 0 ·

@prmanhas-MSFT We are analyzing this issue from what you have responded us to assign with a contributar role. We will surely get respond you back. Thank you.

0 Votes 0 ·
prmanhas-MSFT avatar image prmanhas-MSFT RamnathMuralidhar-8858 ·

@RamnathMuralidhar-8858 Thank you for responding back on this. I will for sure await your response :)

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

0 Votes 0 ·
prmanhas-MSFT avatar image
0 Votes"
prmanhas-MSFT answered prmanhas-MSFT edited

@RamnathMuralidhar-8858 Firstly, apologies for the delay in responding on this and any inconvenience this issue may have caused

I tried to do the repro in my lab with respect to the article you mentioned.

Initially I tried with the most basic role i.e., Reader role over the Subscription but I was running into the same error as yours.

I then tried with Contributor role over the subscription and I was able to go through the tutorial without any issue.

Contributor grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC. You can read more about it here.

Moreover any role that supports the 'Microsoft.Resources/deployments/validate/action' action should work. Here is a list of builtin roles and supported actions.

You need to add user as contributor or role having required permission over Subscription or Resource Group or Resource as below:

Go to Azure Portal >>Subscriptions>>IAM >> Add Role Assignment:

25850-image.png

25872-image.png

You can read more about Role Assignments here.

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics



image.png (258.8 KiB)
image.png (43.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RamnathMuralidhar-8858 avatar image
0 Votes"
RamnathMuralidhar-8858 answered prmanhas-MSFT commented

We tried as you suggested and we also tried giving the user with Global Admin rights. We are now getting a different error. We have attached the complete debug log (azdeplerr1.txt) and the telemetry log (telemetry.txt).

As mentioned earlier when we try, access key for the Azure registry for admin user, it works perfectly all right. But when we try with our Azure User Account and the credential we are getting the above.

We are specifying the credential in the imageRegistryCredentials object in the JSON file. Is there any other object to specify the Azure User AD account so that this will work for the normal AD user account?

27042-azdeplerr1.txt27132-telemetry.txt



azdeplerr1.txt (30.5 KiB)
telemetry.txt (19 B)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RamnathMuralidhar-8858 Thank you for clarifying on this. Let me look into and I will keep you posted on thread.

Thanks

0 Votes 0 ·

@RamnathMuralidhar-8858 Firstly, apologies for the delay in responding on this and any inconvenience this issue may have caused.

As this issues need more investigation and live troubleshooting for quicker resolution I would recommend you to contact azure support. If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In this case, could you send an email to AzCommunity[at]Microsoft[dot]com referencing this thread as well as your subscription ID. Please mention "ATTN: Preeti" in the subject line. Thank you for your cooperation on this matter and look forward to your reply.

Also, once you get the issue fixed, request you to reply back here on the thread with the resolution steps for the benefit of the community.

0 Votes 0 ·

@RamnathMuralidhar-8858 Were you able to open a Support Ticket for the issue?

Do let me know if I can be of any further help!!!

Thanks

0 Votes 0 ·
Show more comments