I have an issue deleting an Azure Lock, at the resource group level. I am doing it from an Azure Runbook.
I authenticate fine (I am able to Get details of whatever I want). Here's the code for that:
# Ensures you do not inherit an AzureRMContext in your runbook
Disable-AzContextAutosave –Scope Process
"Logging in to Azure..."
$connection = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
And if I do, say, Get-AzResource -ResourceGroupName $RG, I get the info I need. But the problem is that I actually need to delete some resources of that resource group, and it has a lock.
When I Remove-AzResourceLock -LockId $getAzureLock.LockId -Force, I am thrown this:
Remove-AzResourceLock : AuthorizationFailed : The client XX with object id XX does not have authorization to perform action 'Microsoft.Authorization/locks/delete' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/locks/resourceDellock' or the scope is invalid. If access was recently granted, please refresh your credentials.
FYI, I've redacted the subscription/object id information.
For the life of me, I am not able to get around it. The application is added as a Contributor at the subscription level, from Access Control (IAM).
I have tried so many things, that I am just to tired to write down! I am sorry. The last 4 hours I've been reading and trying stuffs. So pardon me!
Please, help me get around this..
