Authorization Error When Use Template Specs From Another Subscription

Qi-Jian-Huang-DevOps 166 Reputation points
2023-10-31T16:15:08.76+00:00

I have a few template spec bicep modules created in a subscription (subscription A).

From another subscription (subscription B), I have a main bicep file which it references this template spec module from subscription A.

My user has "template spec reader" permission on this template spec resource (subscription A).

My user has "service administrator" permission on subscription B.

When running the deployment, I am getting a strange error:

InvalidTemplateDeployment - Deployment failed with multiple errors: 'Authorization failed for template resource 'rg-test' of type 'Microsoft.Resources/resourceGroups'. The client 'jian.test@consto.com' with object id '74a10223-2dfb-4695-86ab-b26d9c284364' does not have permission to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' at scope '/subscriptions//resourceGroups/rg-test'.

It is apparently this is quite a strange error, since I have full access to subscription B.

I also did another test by create the same template spec resource in subscription B, then this is working fine, no issue.

Please help me to identity what am I missing here, looks like there is additional permissions I need to grant?

Thanks

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
826 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee
    2023-11-04T01:09:44.96+00:00

    Hi @Qi-Jian-Huang-DevOps ,

    It sounds like the object id "74a10223-2dfb-4695-86ab-b26d9c284364" needs the Contributor role to write to the resource group.

    Under Access control (IAM) , please verify that the user account has the correct role. I would recommend searching that object ID specifically in the tenant to make sure that there isn't possibly a different user account being accessed.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/check-access#step-2-check-access-for-a-user

    See the related issues:
    https://learn.microsoft.com/en-us/answers/questions/1163701/getting-does-not-have-authorization-to-perform-act

    https://stackoverflow.com/questions/37688395/adding-write-permission-for-creating-resource-groups-to-an-azure-active-director

    Let me know if you still run into this issue after confirming.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.