Unable to set 'server parameters' in Postgres SQL Flexible Server on Azure

Question

Unable to set 'server parameters' in Postgres SQL Flexible Server on Azure

Danny Chuah 40

HI All,

I'm trying to set a dynamic parameter, require_secure_transport parameter on Azure Database for PostgreSQL flexible server. I've got contributor rights but getting the following error.

The client '******@xxx.xxx' with object id

'xxx' does not have authorization

to perform action 'Microsoft.Resources/deployments/validate/action' over

scope '/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Resources/deployments/PostgreSQLFlexibleServerParameters_xxxx'

or the scope is invalid. If access was recently granted, please refresh your

credentials.

The client is an internal user of the tenant with contributor access to the Postgres Flexible Server.

Please assist. Thanks.

Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-24T13:35:12.2566667+00:00
Hi @Danny Chuah,

Thanks for the question and using MS Q&A platform

The error you are facing is related to Permissions.

Contributor role grants full access to manage all resources but does not allow you to assign roles in Azure RBAC.

For more information refer to this Document: Contributor.

Troubleshooting Steps:

To set server parameters, you need to ensure you have the appropriate role assigned at the correct scope level (Subscription, Resource Group)

You can check the permissions by going to the Access control (IAM) tab in the Azure portal and checking the role assignments for the client.

If the client already has the required permissions, you can try refreshing the credentials. You can do this by signing out of the Azure portal and signing back in.

I hope this information helps, please do let us know if you have any Queries.
Danny Chuah 40 Reputation points

2024-09-25T08:13:33.6833333+00:00

Hi Sai,

Thank you for your response, the built in Contributor role should have permissions to change server parameters on the Postgres Flexible Server and this is what we need to do, we are not using the contributor role to assign roles to other users.

The Contributor role has been assigned many months ago and users was able to change the server parameters previously but not anymore.
Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-26T06:28:31.52+00:00

Hi @Danny Chuah,

From your response, I gather that users were previously able to set the server parameters, but now they can no longer do so.

Please attempt to Check access for a user.

For detailed information on Server parameters in Azure Database for PostgreSQL - Flexible Server.

Sometimes, the error might be related to Application. please refer to the below thread that may solve your issue. https://learn.microsoft.com/en-us/answers/questions/1163701/getting-does-not-have-authorization-to-perform-act.

I hope this information helps, please do let us know if you have any Queries.
Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-27T07:06:10.88+00:00

Hi @Danny Chuah,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Accepted answer

2 additional answers

Your answer

Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-24T13:35:12.2566667+00:00

Hi @Danny Chuah,

Thanks for the question and using MS Q&A platform

The error you are facing is related to Permissions.

Contributor role grants full access to manage all resources but does not allow you to assign roles in Azure RBAC.

For more information refer to this Document: Contributor.

Troubleshooting Steps:

To set server parameters, you need to ensure you have the appropriate role assigned at the correct scope level (Subscription, Resource Group)

You can check the permissions by going to the Access control (IAM) tab in the Azure portal and checking the role assignments for the client.

If the client already has the required permissions, you can try refreshing the credentials. You can do this by signing out of the Azure portal and signing back in.

I hope this information helps, please do let us know if you have any Queries.
Danny Chuah 40 Reputation points

2024-09-25T08:13:33.6833333+00:00

Hi Sai,

Thank you for your response, the built in Contributor role should have permissions to change server parameters on the Postgres Flexible Server and this is what we need to do, we are not using the contributor role to assign roles to other users.

The Contributor role has been assigned many months ago and users was able to change the server parameters previously but not anymore.
Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-26T06:28:31.52+00:00

Hi @Danny Chuah,

From your response, I gather that users were previously able to set the server parameters, but now they can no longer do so.

Please attempt to Check access for a user.

For detailed information on Server parameters in Azure Database for PostgreSQL - Flexible Server.

Sometimes, the error might be related to Application. please refer to the below thread that may solve your issue. https://learn.microsoft.com/en-us/answers/questions/1163701/getting-does-not-have-authorization-to-perform-act.

I hope this information helps, please do let us know if you have any Queries.
Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-27T07:06:10.88+00:00

Hi @Danny Chuah,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi @Danny Chuah,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

Issue:

I'm trying to set a dynamic parameter, require_secure_transport parameter on Azure Database for PostgreSQL flexible server. I've got contributor rights but getting the following error.

The client '******@xxx.xxx' with object id

'xxx' does not have authorization

to perform action 'Microsoft.Resources/deployments/validate/action' over

scope '/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Resources/deployments/PostgreSQLFlexibleServerParameters_xxxx'

or the scope is invalid. If access was recently granted, please refresh your

credentials.

The client is an internal user of the tenant with contributor access to the Postgres Flexible Server.

Please assist. Thanks.

Solution:

I've found the solution. The issue was the user account only had Reader role to the resource group housing the affected Postgres Flex Server, after giving the user contributor role to the resource group was the user able to make 'server parameters' changes on the postgres flex server.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

The error message you encountered suggests an authorization issue related to your attempt to modify the require_secure_transport parameter for the Azure Database for PostgreSQL Flexible Server. This usually happens due to insufficient permissions, even though you have Contributor rights.

Possible Causes:

Insufficient Permissions for Deployment Actions: Even though you have Contributor access, some actions like validating and modifying resource parameters through deployments might require Owner or User Access Administrator roles because they involve managing resource deployments and parameters at a broader level.

Delay in Permission Propagation: Permissions might not propagate immediately after they are granted. The error message suggests refreshing credentials, which can be done by re-authenticating with Azure or waiting for permissions to be fully applied.

Incorrect Scope: The scope specified in the error (/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Resources/deployments/PostgreSQLFlexibleServerParameters_xxxx) might not align with your access level. Contributor rights on the specific resource may not cover all deployment operations, especially if the action affects resource deployments at a higher level.

Steps to Resolve:

Refresh Credentials: Sign out and sign back in to the Azure portal or your CLI/PowerShell session to refresh your credentials.

Check Role Assignments: Verify that your user has the appropriate role for the resource group or subscription scope where the PostgreSQL flexible server resides:

Go to the Resource Group or Subscription in the Azure portal.

Navigate to Access control (IAM) and verify your role assignments.

Elevate Permissions:

- If the deployment action involves creating or modifying resource parameters, you may need **Owner** or **User Access Administrator** rights.

   - Request additional permissions from the administrator, especially if you’re managing sensitive parameters.

   **Run Deployment in the Portal**: If you are performing the operation via the Azure CLI or API, try running the same operation through the Azure portal to see if it bypasses the authorization issue.

Check with the Azure Administrator: Reach out to your Azure admin to confirm if any custom policies or role restrictions are in place that might prevent you from executing deployment-related actions.The error message you encountered suggests an authorization issue related to your attempt to modify the require_secure_transport parameter for the Azure Database for PostgreSQL Flexible Server. This usually happens due to insufficient permissions, even though you have Contributor rights. Possible Causes:
1. Insufficient Permissions for Deployment Actions:
  Even though you have Contributor access, some actions like validating and modifying resource parameters through deployments might require Owner or User Access Administrator roles because they involve managing resource deployments and parameters at a broader level.
2. Delay in Permission Propagation:
  Permissions might not propagate immediately after they are granted. The error message suggests refreshing credentials, which can be done by re-authenticating with Azure or waiting for permissions to be fully applied.
3. Incorrect Scope:
  The scope specified in the error (/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Resources/deployments/PostgreSQLFlexibleServerParameters_xxxx) might not align with your access level. Contributor rights on the specific resource may not cover all deployment operations, especially if the action affects resource deployments at a higher level.
Steps to Resolve:
1. Refresh Credentials:
  Sign out and sign back in to the Azure portal or your CLI/PowerShell session to refresh your credentials.
2. Check Role Assignments:
  Verify that your user has the appropriate role for the resource group or subscription scope where the PostgreSQL flexible server resides:
  - Go to the Resource Group or Subscription in the Azure portal.
  - Navigate to Access control (IAM) and verify your role assignments.
3. Elevate Permissions:
  - If the deployment action involves creating or modifying resource parameters, you may need Owner or User Access Administrator rights.
  - Request additional permissions from the administrator, especially if you’re managing sensitive parameters.
4. Run Deployment in the Portal:
  If you are performing the operation via the Azure CLI or API, try running the same operation through the Azure portal to see if it bypasses the authorization issue.
5. Check with the Azure Administrator:
  Reach out to your Azure admin to confirm if any custom policies or role restrictions are in place that might prevent you from executing deployment-related actions.

TP 124.9K Reputation points Volunteer Moderator

2024-09-25T08:21:57.7733333+00:00

@Alex Burlachenko Please update this answer as well as all of your other answers/comments to comply with AI Usage policy for Microsoft Q&A.

For example, you could start by clearly stating at the top of each answer that it is generated in whole/part by AI and detail which AI was used, similar to below:

AI generated content. This answer was created with AI from ChatGPT

Additionally, please make sure you comply with the other key elements of the policy, excerpted below:

Follow these steps when using AI to generate an answer on Q&A:

Mention the AI service name that generated the answer, fully or partly.

Check the AI output accuracy and relevance and adjust it as needed. Indicate you validated or updated the AI output in your answer.

Include any sources AI generated or you used as you validated and updated the AI output.

Using AI to help with answers on Microsoft Q&A requires following these three steps. Otherwise, moderators might delete the content and suspend your account.

Thank you.

Answer 3

Danny Chuah 40

Hi Sai,

I have 2 postgres flex servers deployed with the same settings, one for test and one for production. The user have the same contributor role for both servers. On the test server he was able to make changes to server parameters but on the production server he been presented with the error as I stated in my original post. Could you give me advise on what to check please? Thanks.

Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-09-30T12:45:54.2866667+00:00

Hi @Danny Chuah,

It seems you were able to make changes to server parameters on the test server, but you are encountering the same error on the production server. This issue may be due to several reasons.

One possibility is that there are locks on the production server or its resource group that prevent changes.

For more information, please refer to the documentation: Lock your resources to protect your infrastructure.

If you are using Azure Active Directory, check for any restrictions on the user’s permissions. Additionally, look for any policies in the resource group or subscription that might limit actions. Finally, confirm that the Microsoft.DBforPostgreSQL resource provider is registered in your subscription.

I hope this information helps, please do let us know if you have any Queries.
Sai Raghunadh M 4,640 Reputation points Microsoft External Staff Moderator

2024-10-01T15:16:57.9166667+00:00

Hi @Danny Chuah,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Danny Chuah 40 Reputation points

2024-10-03T01:07:11.28+00:00

Hi Sai,

I've found the solution. The issue was the user account only had Reader role to the resource group housing the affected Postgres Flex Server, after giving the user contributor role to the resource group was the user able to make 'server parameters' changes on the postgres flex server, this ticket can now be closed. Thanks.

Share via

Unable to set 'server parameters' in Postgres SQL Flexible Server on Azure

2 additional answers

Your answer