CODEWITHSUNDEEP
ruby-on-railsrubyazureubuntuvirtual-machine
Anand Soni
Anand Soni

Reputation: 5110

Getting error MsRestAzure::AzureOperationError: AuthorizationFailed while trying to create vm instance using Ruby api

I am new to Azure platform. I have followed this link to generate service principle : https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

When I reach to step : Assign application to role > point 6 (Search for your application, and select it.) I can't see my application in result of search.

After that I have tried to create VM using ruby api :

https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_compute

When I implement code to create VM, I get following error : 

"message": "MsRestAzure::AzureOperationError: AuthorizationFailed: The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/write' over scope '/subscriptions/xxxx/resourceGroups/my_group/providers/Microsoft.Compute/virtualMachines/test-ubuntu3'.",

In above error message both client and object id is same. I don't know why and what is the meaning of object id.

How I can resolve this issue ? Where I should look at in portal ? Any help will be appreciated.

Thank you

Upvotes: 0

Views: 571

Answers (2)

Peter Pan
Peter Pan

Reputation: 24138

Also, you can follow the steps below to give a role for the service principal to add permission for your app on Azure portal, as the figure below.

enter image description here

  1. Move to the Subscription category.
  2. Select the currect subscription for your app.
  3. Click the Access control (IAM) tab.
  4. Click the + Add button.
  5. Select the Contributor role in the Add permission dialog.
  6. Search with your app name, and select the app in the searched list.
  7. Click the Save button.

Upvotes: 0

Jason Ye
Jason Ye

Reputation: 13964

Root cause is the service principal you are using doesn't have rights within that tenant.

Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.

Please use Azure CLI 2.0 to create service principal:

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName"

Here is the information about CLI 2.0 to create service principal:

C:\Users>az ad sp create-for-rbac -h

Command
    az ad sp create-for-rbac: Create a service principal and configure its access to Azure
    resources.

Arguments
    --cert           : PEM or DER formatted public certificate using string or `@<file path>` to
                       load from a file. Do not include private key info.
    --create-cert    : Create and upload self-signed certificate which you can use to login.
    --expanded-view  : Once created, display more information like subscription and cloud
                       environments.
    --name -n        : A display name or an app id uri. Command will generate one if missing.
    --password -p    : The password used to login. If missing, command will generate one.
    --role           : Role the service principal has on the resources.  Default: Contributor.
    --scopes         : Space separated scopes the service principal's role assignment applies to.
                       Defaults to the root of the current subscription.
    --skip-assignment: Do not create default assignment.
    --years          : Years the password will be valid. Default: 1 year.

Global Arguments
    --debug          : Increase logging verbosity to show all debug logs.
    --help -h        : Show this help message and exit.
    --output -o      : Output format.  Allowed values: json, jsonc, table, tsv.  Default: json.
    --query          : JMESPath query string. See http://jmespath.org/ for more information and
                       examples.
    --verbose        : Increase logging verbosity. Use --debug for full debug logs.

Examples
    Create with a default role assignment.
        az ad sp create-for-rbac

    Create using a custom name, and with a default assiggment.
        az ad sp create-for-rbac -n "http://MyApp"

    Create without a default assignment.
        az ad sp create-for-rbac --skip-assignment

    Create with customized assignments
        az ad sp create-for-rbac -n "http://MyApp" --role contributor --scopes
        /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/MyResourceGroup
        /subscriptions/11111111-2222-3333-4444-666666666666/resourceGroups/MyAnotherResourceGroup

    Create using self-signed certificte
        az ad sp create-for-rbac --create-cert

    Login with a service principal.
        az login --service-principal -u <name> -p <password> --tenant <tenant>

    Login with self-signed certificate
        az login --service-principal -u <name> -p <certificate file path> --tenant <tenant>

    Reset credentials on expiration.
        az ad sp reset-credentials --name <name>

    Create extra role assignments in future.
        az role assignment create --assignee <name> --role Contributor

    Revoke the service principal when done with it.
        az ad app delete --id <name>

    Create using certificate from Key Vault
        az keyvault certificate download --vault-name vault -n cert-name -f cert.pem
        az ad sp create-for-rbac --cert @cert.pem

Upvotes: 2

Related Questions