0

I get an error when trying to deallocate a virtual machine with the Python SDK for Azure.

Basically I try something like:

credentials = ServicePrincipalCredentials(client_id, secret, tenant)
compute_client = ComputeManagementClient(credentials, subscription_id, '2015-05-01-preview')
compute_client.virtual_machines.deallocate(resource_group_name, vm_name)
pprint (result.result())

-> exception:

msrestazure.azure_exceptions.CloudError: Azure Error: AuthorizationFailed
Message: The client '<some client UUID>' with object id '<same client UUID>' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/deallocate/action' over scope '/subscriptions/<our subscription UUID>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachines/<our-machine>'.

What I don't understand is that the error message contains an unknown client UUID that I have not used in the credentials. Python is version 2.7.13 and the SDK version was from yesterday.

What I guess I need is a registration for an Application, which I did to get the information for the credentials. I am not quite sure which exact permission(s) I need to register for the application with IAM. For adding an access entry I can only pick existing users, but not an application.

So is there any programmatic way to find out which permissions are required for an action and which permissions our client application has?

Thanks!

Peter Pan
  • 23,476
  • 4
  • 25
  • 43
Christoph
  • 51
  • 3
  • Please see this link regarding how you can assign role/permission to a service principal: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#assign-application-to-role. HTH. – Gaurav Mantri Apr 06 '17 at 09:50
  • Hi, thanks for that link. I know it. But I still wonder whether there is a way to get more concrete information on which permissions are necessary by the use of the API. – Christoph Apr 06 '17 at 15:12
  • When you get this kind of error, you can look at this page to know what persmissions you need: https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles. You will see that your need to add the role "Virtual Machine Contributor" to the credential. – Laurent Mazuel Apr 06 '17 at 16:02
  • Thank you for that link! – Christoph Apr 10 '17 at 07:13

2 Answers2

0

As @GauravMantri & @LaurentMazuel said, the issue was caused by not assign role/permission to a service principal. I had answered another SO thread Cannot list image publishers from Azure java SDK, which is similar with yours.

There are two ways to resolve the issue, which include using Azure CLI & doing these operations on Azure portal, please see the details of my answer for the first, and I update below for the second way which is old.

enter image description here

And for you want to find out these permissions programmatically, you can refer to the REST API Role Definition List to get all role definitions that are applicable at scope and above, or refer to Azure Python SDK Authentication Management to do it via the code authorization_client.role_definitions.list(scope).

Hope it helps.

Community
  • 1
  • 1
Peter Pan
  • 23,476
  • 4
  • 25
  • 43
0

Thank you all for your answers! The best recipe for creating an application and to register it with the right role - Virtual Machine Contributor - is presented indeed on https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal The main issue I had was that there is a bug in the adding a role within IAM. I use add. I select "Virtual Machine Contributor". With "Select" I get presented a list of users, but not the application that I have created for this purpose. Entering the first few letters of the name of my application will give a filtered output that includes my application this time though. Registration is then finished and things can proceed.

Christoph
  • 51
  • 3