question Re: Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope in Archives of Support Questions (Read Only)

Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope

awoolford — Thu, 16 Mar 2017 12:12:53 GMT

I'm trying to get Cloudbreak to deploy a cluster on Azure. The first step is to create a set of Azure credentials in Cloudbreak. To do this, it's necessary to create a resource group, storage account, application, and application service principal:

# create a resource group in the West US region
azure group create woolford "westus"

# create a storage account in that resource group
azure resource create woolford woolfordstorage "Microsoft.Storage/storageAccounts" "westus" -o "2015-06-15" -p "{\"accountType\": \"Standard_LRS\"}"

# create an application and service principal
azure ad sp create -n awoolford -p Password123
#  info:    Executing command ad sp create
#  + Creating application awoolford                                              
#  + Creating service principal for application 2a105e3d-f330-4a6f-b5e3-57de672e91c1
#  data:    Object Id:               d14aa306-9d7c-41a5-809b-c27f86167ad5
#  data:    Display Name:            awoolford
#  data:    Service Principal Names:
#  data:                             2a105e3d-f330-4a6f-b5e3-57de672e91c1
#  data:                             http://awoolford
#  info:    ad sp create command OK

Once this is done, I collected all the ID's required by Cloudbreak and created a set of credentials in the Cloudbreak UI:

# get the subscription ID
azure account list
#  info:    Executing command account list
#  data:    Name           Id                                    Current  State  
#  data:    -------------  ------------------------------------  -------  --------
#  data:    SE             ********-****-****-****-*********797  true     Enabled 

# get the app owner tenant ID
azure account show --json | jq -r '.[0].tenantId'
#  b60c9401-2154-40aa-9cff-5e3d1a20085d

# get the storage account key
azure storage account keys list woolfordstorage --resource-group woolford
#  info:    Executing command storage account keys list
#  + Getting storage account keys                                                
#  data:    Name  Key                                                                                       Permissions
#  data:    ----  ----------------------------------------------------------------------------------------  -----------
#  data:    key1  a9jeK3iRSgHlGlgiM4HTCVnKPpgt7srFz+WE8bGz7tiUuTfVSjl8jRR/CuA+tQ6yiaNBtkTv3E5yGBsMW1H4Cg==  Full      
#  data:    key2  ozhjirLlt3pp96lLtrPzaNziPQtfJ0QGiG+ETL9uJgQnM+vrMU/qhzVUa5fhdZ8xa6xItSH/NiImL45zir7KwA==  Full      
#  info:    storage account keys list command OK

When I try to launch the cluster in Cloudbreak an error is thrown:

Cluster Status
{error={code=AuthorizationFailed, message=The client 'bbd3275e-34ba-4614-94a7-4ed09cc0f3aa' with object id 'bbd3275e-34ba-4614-94a7-4ed09cc0f3aa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/7d204bd6-841e-43fb-8638-c5eedf2ea797/resourcegroups/woolford-cloudbreak18'.}}

It seems that there's a permissions issue in Azure and I'm not sure how to resolve it. Can you see what I'm doing wrong? Any suggestions?

Re: Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope

darvasip — Thu, 16 Mar 2017 17:16:14 GMT

@Alex Woolford

The suggested way of creating these prerequisites is by using our cli tool.

cbd azure configure-arm --app_name myapp --app_password password123 --subscription_id 1234-abcd-efgh-1234

This should create all the needed resources. For your particular case, the role assignment seems to be missing.

azure role assignment create --objectId $OBJECT_ID -o Owner -c /subscriptions/$APP_SUBSCRIPTION_ID &> $APP_NAME-assign.log

The new version of Cloudbreak coming soon will contain enhancements to automate this error-prone process from the UI.

Hope this helped!

Re: Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope

awoolford — Thu, 16 Mar 2017 22:32:44 GMT

Thanks @pdarvasi.

The CLI tool source code was very helpful to understand the step that I missed (i.e role assignment). For some reason, the role assignment step is failing, e.g.

[root@cloudbreak cloudbreak-deployment]# azure role assignment create --objectId 0d49187f-6ca7-4a27-b276-b570c8dcba5a -o Owner -c /subscriptions/7d204bd6-841e-43fb-8638-c5eedf2ea797 &> $APP_NAME-assign.log

[root@cloudbreak cloudbreak-deployment]# cat awoolford-assign.log 
info:    Executing command role assignment create
info:    Finding role with specified name
info:    Creating role assignment
error:   The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
error:   Error information has been recorded to /root/.azure/azure.err
error:   role assignment create command failed

The associated error log has a very similar, but more verbose error:

[root@cloudbreak cloudbreak-deployment]# cat /root/.azure/azure.err
2017-03-16T14:59:12.520Z:
{ Error: The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
  <<< async stack >>>
  at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
  <<< raw stack >>>
    at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
    at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
    at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
    at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)
  stack: [Getter/Setter],
  code: 'AuthorizationFailed',
  statusCode: 403,
  requestId: '49bd5570-2c2c-49a7-aead-c30581a158a2',
  __frame: 
   { name: '__1',
     line: 73,
     file: '/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js',
     prev: undefined,
     calls: 1,
     active: false,
     offset: 79,
     col: 54 },
  rawStack: [Getter] }
Error: The client 'awoolford@hortonworks.com' with object id '7d18df3a-d9fc-41cf-902e-2fc26a7f0b67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/********-****-****-****-*********797'.
  <<< async stack >>>
  at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
  <<< raw stack >>>
    at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
    at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
    at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
    at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)

I'm a bit confused, because I know this works for other people. I'd be surprised if my Azure account was setup with different permissions from my colleagues - though that's what the error seems to suggest.

Re: Cloudbreak on Azure authorization error: client does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope

darvasip — Fri, 17 Mar 2017 01:24:58 GMT

@Alex Woolford That could be to cause that your user is not admin, or co-admin in your subscription. This is a prerequisite, as per the documentation.