I'm trying to update a TXT record in azure. I'm doing this in my local VS2017 debugging environment, but MSI seems to "work" anyway, because it knows who I am. But the "GetAsync" call fails telling me I don't have permission.
What am I doing wrong?
var tokenprovider = new AzureServiceTokenProvider();
var tok = await tokenprovider.GetAccessTokenAsync("https://management.azure.com/");
client = new DnsManagementClient(new TokenCredentials(tok))
{
SubscriptionId = SubscriptionId
};
var dnsRecord = await Client.RecordSets.GetAsync(ResourceGroup, zoneName, recordName, RecordType.TXT, cancellationToken);
The GetAsync call throws: Microsoft.Rest.Azure.CloudException: 'The client '(my email address)' with object id '(my object id)' does not have authorization to perform action 'Microsoft.Network/dnsZones/TXT/read' over scope '/subscriptions/(my subscription id)/resourceGroups/(my resource group)/providers/Microsoft.Network/dnsZones/(my domain)/TXT/_acme-challenge'.'
Any idea why?
I've given myself contributor access to the TXT record. I even did this whole thing as the subscription owner. Yet I still get the exception telling me I'm not authorized.
I've also double-checked the subscription/object/domain/txt names - they are correct.
Help :)
EDIT: After a "waiting period" of a while, the calls suddenly started to succeed. So to test... I made a new resource, tried to access it (and failed), gave myself access, tried to access it again (and failed again), and then waited a while and tried later, and it succeeded. Any idea why this could be?
EDIT: (5 months later). Found the correct answer, which is here: https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting#rbac-changes-are-not-being-detected
There is up to 30 minutes delay when fiddling with role assignments before they take effect.
