1

I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:

RoleAssignmentReconciler retry timed out: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'foo' with object id 'foo' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az

Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.

Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:

The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'foo' was not found in the directory 'bar'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID: bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13 15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13 15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})

I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?

Tim
  • 12,318
  • 7
  • 50
  • 72
  • as far as I know, usually just pressing create again if you see the second error (if you are using the portal) will fix it. for the first error, its a bit hard to say whats going on, but you need to have the appropriate permission (and if you think you do have them, it doesn't mean you do). doesn't matter what permissions the SP has. – 4c74356b41 Jul 14 '19 at 12:40
  • Does the client “foo” has the "User Access Administrator" role on the subscription? Does “foo” corresponds to your own user (the one you’re logged in in the portal)? – Alessandro Vozza Jul 14 '19 at 13:13
  • you dont need those permissions for the SP (in fact you dont need any permissions for the SP), it will grant necessary permissions to it when it provisions AKS, on top of that you dont need to be `User Access Administrator` to successfully create properly working AKS – 4c74356b41 Jul 14 '19 at 13:34
  • well, you do, when you use a custom vnet. You (your user/SP) assigns Network Contributor role to the vnet to the AKS SP, and for that you need the User Access Admin role. – Alessandro Vozza Jul 14 '19 at 13:45
  • Hi @AlessandroVozza. "foo" in the error above is an Object ID which is *new every time* I attempt to create a cluster. It does *not* correspond to the Object ID of the logged in user, nor the AAD application id (service principal). So, I'm not even sure what this object is and when/how is it created. Is there a way to find/describe an object by its ID? – Tim Jul 14 '19 at 14:03
  • I've tried adding a "User Access Administrator" role to the logged in user, but it has no effect (I still have the same error). – Tim Jul 14 '19 at 14:03
  • Well, that's embarrassing. It works now. I didn't change anything in the AAD or RBAC apart from the fact that I added a "User Access Administrator" role to the logged in user, but I already removed it since and it still works. Also, it actually did not work when it was yet assigned. I repeat same operations as previously (or at least I think so), and the cluster is created OK now. I guess there is no problem anymore. It is still worrying me though because I don't understand what was the problem, neither what was the fix. – Tim Jul 14 '19 at 14:03
  • no, that's not true, you need `Microsoft.Authorization/roleAssignments/write` over subnet id (not even the vnet) to assign those permissions. @AlessandroVozza. easiest way to have enough permissions is contributor over resource group + the above. SP needs zero permissions. – 4c74356b41 Jul 14 '19 at 14:45
  • OK, I think there is some "eventual consistency" at play, because my comment above about the "User Access Administrator" role appears to be not valid actually. I confirm that having "User Access Administrator" role fixes the issue - just had to wait for permissions to be applied. I didn't verify, but logically I tend to agree with @4c74356b41 - it is the `roleAssignments/write` permission which seems to be missing otherwise. I would gladly accept the answer explaining this if someone would submit it. – Tim Jul 14 '19 at 15:36

2 Answers2

2

as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:

enter image description here

I have an AKS template that needs contributor role to work + this custom role:

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")

AKS clusters created by code using this role + contributor are fully functional.

User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
1

In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.

Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.

Poçi
  • 243
  • 3
  • 8