This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 46%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
I am trying to deploy AKS with CNI but as soon as I create vnet and subnet it stops write their with the error that I do not have permission to create it.
I have contributor access to the entire subscription but it looks like this is one odd resource that requires owner permission when I am using CNI for network deployment
I did pre-create the vnet and subnets but I got the same error
Thanks for the detail response. When I am trying with the procreated vnet and subnet I get the following error "This subnet does not have necessary permission to perform the "Microsoft.Authorization/roleassignments/write" action to add one
I requested for the owner access at the RG level and still getting same error. Do I need to pre-create cluster user managed identity and assigned RG owner rights to the user managed identity. I do not see how I can assign role to cluster identify without creating cluster
Finally reached out to the person with owner permission and deployed it
Hello prasantc
Glad to hear that you have successfully deployed the cluster.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Hello prasantc
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
AKS with CNI requires the user to have "Owner" or "Network Contributor" role on the Azure Virtual Network (vnet) resource. This is because when CNI is used, it creates an Azure Virtual Network (vnet) and a subnet in your Azure subscription to manage networking resources for AKS pods.
As you mentioned, you already have "Contributor" access to the entire subscription, but it might not be enough for creating virtual networks and subnets. You need to have "Owner" or "Network Contributor" for the duration of the AKS cluster creation, so you can successfully create the necessary resources.
Ref: https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
If you don't want to be assigned the "Owner" role, you can create a custom role with the necessary permissions for AKS with CNI. This custom role should have the required permissions to create and manage network resources within the vnet and subnet.
If you are unable to get the required permissions for creating vnets and subnets, you can pre-create the Azure Virtual Network and subnet manually. In this case, you should create the vnet and subnet with the desired configuration (address space and subnet range) before deploying AKS. During AKS cluster creation, you can specify the existing vnet and subnet.
Hope this helps.