HOW TO FIX AUTHORIZATION ERROR FOR AKS

Angelo Martin Asuncion 0 Reputation points
2023-05-10T09:05:44.36+00:00

The client '' with object id '________' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/_________/resourceGroups/aksdeployer/providers/Microsoft.Resources/deployments/microsoft.aks-20230510170151' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

I am trying to create AKS after I successfully created a role folr aks cluster deployer but upon validation it shows the error above. what are the possible problems or solution to fix this issue Thank you!

provided below is the main.tf code that I have used for the role creation.

  provider "azurerm" {
  features {}
}

resource "azurerm_role_definition" "aks_deploy" {
  name        = "AKS ClusterDeployer"
  description = "Allows managing AKS clusters, but no read access"
  scope = "/subscriptions/____________________"
  permissions {
    actions = [
      "Microsoft.ContainerService/managedClusters/write",
      "Microsoft.ContainerService/managedClusters/delete",
      "Microsoft.Resources/subscriptions/resourceGroups/write",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/subscriptions/resourceGroups/delete"
    ]
    not_actions = [
      
    ]
  }
  assignable_scopes = [
    "/subscriptions/_______________________"
  ]
  
}

resource "azurerm_role_assignment" "aks_deploy" {
  scope              = "/subscriptions/__________________________"
  role_definition_name = azurerm_role_definition.aks_deploy.name
  principal_id       = var.principal_id
}
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,934 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 25,446 Reputation points
    2023-05-10T09:27:26.35+00:00

    Hello Angelo Martin Asuncion

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Based on the issue description, the error message is indicating that the client with the specified object ID does not have the required permissions to perform the specified action. Reason could be incorrect scope or incorrect permissions.

    To troubleshoot this issue, you can try the following steps:

    Verify that the scope specified in the error message is correct and that the client has the required permissions at that scope.

    Check if the client has the required permissions to perform the specified action. You can do this by checking the permissions specified in the role definition that you created.

    Ensure that the client has the correct credentials and that they are up-to-date. You can try refreshing the credentials to see if that resolves the issue.

    1. Check if there are any conflicting role assignments that might be causing the issue. You can do this by checking the role assignments for the client and the scope in question.

    In your case, it appears that the role definition and role assignment are correctly created. You can try refreshing the credentials for the client or verifying the object ID to ensure that it has the required permissions. Additionally, you can check if the scope specified in the role definition and role assignment matches the resource group and subscription specified in the error message.

    Hope this helps.