0

I have a simple code that creates ContainerGroup:

ContainerGroup instance = azure.containerGroups()
                <truncated>
                .create();

After instance has been created I would like to create delete lock:

azure.managementLocks().define("preventDelete").withLockedResource(instance).withLevel(LockLevel.CAN_NOT_DELETE).create();

The lock is never created failing with following error:

Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '' with object id '' does not have authorization to perform action 'Microsoft.Authorization/locks/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.ContainerInstance/containerGroups//providers/Microsoft.Authorization/locks/preventDelete' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Works flawlessly using Azure UI. Any ideas?

Radosław Jakubowski
  • 66
  • 5
  • According to the error message, you do not have enough permissions to create resource lock. Could you please check the service principal's permissions you used to do auth in your application? – Jim Xu Sep 22 '20 at 01:54

2 Answers2

0

According to the error message, you do not have enough permissions to create resource locks. In fact, to create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions. For more details, please refer to the article. Please check the service principal's permisisons you used to do auth in your application.

Regarding how to check it, please refer to the following script

Connect-AzAccount

$role=Get-AzRoleAssignment -ObjectId <object id of service principal or user>

Get-AzRoleDefinition -Id $role.RoleDefinitionId
Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • Role "User Access Administrator" is correctly set. I have now tried to add a lock using powershell and got this: PS > New-AzResourceLock -LockLevel "CanNotDelete" -LockName "LockContainer" -ResourceName "aaa" -ResourceType "Microsoft.ContainerInstance" -ResourceGroupName "BBB" New-AzResourceLock : InvalidResourceType : The resource type could not be found in the namespace 'Microsoft.ContainerInstance' for api version '2015-01-01'. – Radosław Jakubowski Sep 22 '20 at 10:16
  • 1
    @RadosławJakubowski The resource type should be `Microsoft.ContainerInstance/containerGroups`. The `Microsoft.ContainerInstance` is resource provider: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal – Jim Xu Sep 22 '20 at 13:10
  • Indeed, that was the problem with New-AzResourceLock. Thank you. I can now create locks using powershell but it doesn't resolves the original problem. – Radosław Jakubowski Sep 23 '20 at 07:53
  • @RadosławJakubowski Could you please provide the code how you do auth in application? – Jim Xu Sep 23 '20 at 08:06
  • `public static Azure getAzure() { String tenantId = "xxx"; String clientId = "xxx"; String clientSecret = "xxx"; String subscriptionGuid = "xxx"; ApplicationTokenCredentials tokenCredentials = new ApplicationTokenCredentials( clientId, tenantId, clientSecret, AzureEnvironment.AZURE); return Azure.authenticate(tokenCredentials).withSubscription(subscriptionGuid); }` – Radosław Jakubowski Sep 23 '20 at 08:26
  • @RadosławJakubowski According to my understanding you create a service principal and assign `User Access Administrator` to the sp at the subscription level. You cannot use the sp to create resource lock with jdk, but you can use the sp to create resource lock with powershell. Right? – Jim Xu Sep 23 '20 at 08:36
  • According to my test, it is ok for me : https://ibb.co/VvWSBTj – Jim Xu Sep 24 '20 at 03:57
0

Ended up using Azure CLI instead of SDK:

az lock create --lock-type CanNotDelete --name PreventDelete --resource <resourceId>
Radosław Jakubowski
  • 66
  • 5