az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview" fails

Question

az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview" fails

Sebastian Cheung 1

az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview"

Once the feature 'EnableAPIServerVnetIntegrationPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated
(AuthorizationFailed) The client 'admin@xxxxxxxxxxxxx .org.uk' with object id 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Features/providers/features/register/action' over scope '/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'admin@xxxxxxxxxxxxx .org.uk' with object id 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Features/providers/features/register/action' over scope '/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials.

How to overcome this?

Tried:

az role assignment create --assignee $PRINCIPAL --role "Cognitive Services Contributor" --scope /subscriptions/$AZURE_SUBSCRIPTION_ID

Or another SP is trying to provide access?

1 answer

Your answer

Answer 1

@Sebastian Cheung
Thank you for your detailed post!

Error Message:
The client '******@XXXX.org.uk' with object id 'XXXX' does not have authorization to perform action 'Microsoft.Features/providers/features/register/action' over scope '/subscriptions/XXXX' or the scope is invalid. If access was recently granted, please refresh your credentials.

From the RBAC side of things, the user that you're using ******@XXXX.org.uk to execute az feature register, doesn't have the correct RBAC permissions over your subscription to register the feature. As you referenced in your post, you'll need the Cognitive Services Contributor role since it'll give your user the correct permission- Microsoft.Features/providers/features/register/action, to execute az feature register.

Assign Azure roles using Azure CLI:
To assign a role, use the az role assignment create command.

#For an Azure AD user, get the user principal name, such as ******@XXXX.org.uk or the user object ID.   
az ad user show --id "{principalName}" --query "id" --output tsv  
  
#List the details of a particular role  
az role definition list --name "{roleName}"  
  
#Assign the role at the Subscription scope  
#You can use your SP Name, for example  --assignee "******@XXXX.org.uk" --role "Cognitive Services Contributor"  
az role assignment create --assignee "{assignee i.e. sp_name}" --role "{roleNameOrId}" --subscription "{subscriptionName Or Id}"  
      
#Or you can also use the ObjectID from your error message  
az role assignment create --assignee-object-id "{assignee objectID}" --role "{roleNameOrId}" --subscription "{subscriptionName Or Id}"

Note: You can also reference the UPN and Object ID from your error message

Additional Links:
Register the EnableAPIServerVnetIntegrationPreview preview feature
Assign Azure roles using Azure PowerShell
Assign Azure roles using the Azure portal
Azure Portal - Register resource provider
AKS features lists

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Sebastian Cheung 1 Reputation point

2022-12-08T00:15:49.293+00:00

Hi @JamesTran-MSFT

az ad user show --id admin@ssss .org.uk --query "id" --output tsv
XXXX

az role definition list --name "Cognitive Services Contributor"
[
"roleName": "Cognitive Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
]

az role assignment create --subscription $SUBSCRIPTION_ID --assignee admin@ssss .org.uk --role "Cognitive Services Contributor"

The client 'admin@ssss .org.uk' with object id 'XXXX' action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/XXXX/providers/Microsoft.Authorization/roleAssignments/XXXX' or the scope is invalid. If access was recently granted, please refresh your credentials

https://github.com/Azure-Samples/aks-api-server-vnet-integration-bicep.git

In main.parameters.json, values for?:

"aksClusterSshPublicKey": { "value": "<ssh-public-key>" },

"aadProfileAdminGroupObjectIDs": {
"value": [
"<admins-aad-security-group-object-id>"
]
},

"vmAdminPasswordOrKey": { "value": "<ssh-public-key>" },

"keyVaultObjectIds": {
"value": [
"<aad-security-group-or-account-object-id>"
]
},

Similar error:

az feature register --name $aksExtension --namespace Microsoft.ContainerService # Microsoft.Features/providers/features/register/action
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-12-09T22:27:23.673+00:00

@Sebastian Cheung
Thank you for the detailed follow up on this!

Since you're still running into issues assigning the Cognitive Services Contributor role to your user ******@example.org.uk , can you see if assigning the RBAC role using the Azure portal works?

If you're still having issues with this, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-12-15T17:26:17.15+00:00

@Sebastian Cheung
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

Share via

az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview" fails

1 answer

Your answer