Error: LinkedAuthorizationFailed on configurating AppGW

Question

I deployed infrastructure using this repo. The logs of my application gateway pod looks like :

Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."

This issue is similar to mine. and i run :

az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev

and the permission was added successfully:

But the error mentioned in application gateway logs, still present.

Not sure what is the cause ? Any pointers would be helpful

Answer 1

Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning'reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw  keyvault-kubota-dev' or the linked scope(s) are invalid."

According the above error, the linked scope is invalid.

• You have given the incorrect scope id in your existing Azure CLI command. Thus, you will have to execute the commands with correct scope ID and only then you will be able to configure the application gateway with the permission of "Managed identity operator role". Ensure that the below scope for your environment is mentioned in your Azure CLI command and it is executed once again for the correct scope permission to be valid.

• Correct scope: - /subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw-keyvault-kubota-dev ’

Reference:

application-gateway-kubernetes-ingress/appgw-ssl-certificate.md at master · Azure/application-gateway-kubernetes-ingress (github.com)