This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 86%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
We are trying to deploy a simple AKS cluster with virtual nodes, aci connector linux. We are using this terraform example almost identical. It gets all the way to the end and when it tries to build the role assignment we get the following error:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '385fa3dd-9da5-437e-82a6-9dc167eac3a2' with object id '385fa3dd-9da5-437e-82a6-9dc167eac3a2' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/***/resourceGroups/gh-aks-services/providers/Microsoft.Network/virtualNetworks/vnet/subnets/default/providers/Microsoft.Authorization/roleAssignments/2637b837-8d6a-a98b-5f6d-79fdb595cfe6' or the scope is invalid. If access was recently granted, please refresh your credentials."
│
│ with azurerm_role_assignment.example,
│ on main.tf line 147, in resource "azurerm_role_assignment" "example":
│ 147: resource "azurerm_role_assignment" "example" {
│
Example of role being created
resource "azurerm_role_assignment" "example" {
scope = azurerm_subnet.example-aci.id
role_definition_name = "Network Contributor"
principal_id = azurerm_kubernetes_cluster.example.identity.0.principal_id
}
Terraform
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "${var.prefix}-k8s-rg"
location = var.location
}
resource "azurerm_virtual_network" "example" {
name = "${var.prefix}-vnet"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.10.0.0/16"]
}
resource "azurerm_subnet" "example-nodepool" {
name = "default"
virtual_network_name = azurerm_virtual_network.example.name
resource_group_name = azurerm_resource_group.example.name
address_prefixes = ["10.10.1.0/24"]
}
resource "azurerm_subnet" "example-aci" {
name = "aci"
virtual_network_name = azurerm_virtual_network.example.name
resource_group_name = azurerm_resource_group.example.name
address_prefixes = ["10.10.3.0/24"]
delegation {
name = "aciDelegation"
service_delegation {
name = "Microsoft.ContainerInstance/containerGroups"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_kubernetes_cluster" "example" {
name = "${var.prefix}-k8s"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "${var.prefix}-k8s"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_DS2_v2"
vnet_subnet_id = azurerm_subnet.example-nodepool.id
}
network_profile {
network_plugin = "azure"
network_policy = "azure"
load_balancer_sku = "standard"
}
identity {
type = "SystemAssigned"
}
aci_connector_linux {
subnet_name = azurerm_subnet.example-aci.name
}
azure_policy_enabled = false
http_application_routing_enabled = false
}
resource "azurerm_role_assignment" "example" {
scope = azurerm_subnet.example-aci.id
role_definition_name = "Network Contributor"
principal_id = azurerm_kubernetes_cluster.example.identity.0.principal_id
}
Hello David Simpson
Any update on the issue?
Just checking in to see if you got a chance to see previous response.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Hello David Simpson
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
Based on the error message shared, it indicates that the client does not have authorization to perform the action 'Microsoft.Authorization/roleAssignments/write' over the specified scope. This error can occur if the client does not have the required permissions to create a role assignment.
Below are few troubleshooting steps that can help resolve the issue:
az role assignment create --assignee-object-id <client-object-id> --role "Network Contributor" --scope <scope>
Verify that the subnet specified in the 'azurerm_role_assignment' resource exists and is valid. You can check this by running the following command:
az network vnet subnet show --ids <subnet_id>
Replace <subnet_id> with the ID of the subnet specified in the 'azurerm_role_assignment' resource.
If you continue to experience issues, double-check your configuration and make sure that all the necessary prerequisites, such as subscription access and role assignments, are in place before running Terraform again.
Hope this helps.
Thank you for the information @vipullag-MSFT
I was able to update our client token to have owner permission and now it is successfully creating those roles.
The issue I'm having is that they don't seem to be what it needs to run. Here is the error I get
time="2023-05-19T11:28:39Z" level=fatal msg="error initializing provider azure: error setting up network: error while looking up subnet: network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error.
Status=403 Code=\"AuthorizationFailed\" Message=\"The client '10add117-de88-4b44-b339-afcabc31ebbd' with object id '10add117-de88-4b44-b339-afcabc31ebbd' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/90d5cce1-c5d8-447d-88cf-833483083b94/resourceGroups/gh-aks-services/providers/Microsoft.Network/virtualNetworks/gh-aks-cluster-vnet/subnets/aci' or the scope is invalid. If access was recently granted, please refresh your credentials.\""
PS /home/david>
Hello David Simpson
Thanks for responding back and sharing more details.
The error message suggests that the client specified in your Terraform configuration does not have the necessary permissions to read the subnet. Even though you updated the client's role to have owner permission, it seems that it still lacks the required authorization for the specific action 'Microsoft.Network/virtualNetworks/subnets/read' over the specified scope.
To resolve this issue, you can try the following steps:
Verify that the client ID and tenant ID used in the Terraform configuration are correct and have the required permissions to read the subnet.
Ensure that the service principal used by Terraform has the 'Reader' or 'Contributor' role assigned to the subscription or resource group where the subnet is located.
Check if the subnet is available in the specified virtual network and resource group. If it is not available, you can create the subnet manually or modify the Terraform configuration to create the subnet.
If the issue persists, you can try to read the subnet manually using the Azure portal or Azure CLI to verify if the issue is with the Terraform configuration or the client permissions.
I hope this helps you resolve the issue.