Share via

How to Execute Chaos Studio experiments on Target Resources without roleAssignment/write Permission

Raghunathan, Ramesh 20 Reputation points
2025-12-09T14:59:04.6666667+00:00

What is our objective?

Our objective is to leverage Azure Chaos Studio to create and execute experiments (faults/attacks) on our Springboot App, hosted as an API App in ASE. For the purposes of performing POC, we are trying to execute a "Stop App Service" experiment on the Springboot app for 5 minutes.

What we expect to see happen...

Chaos Studio should be able to successfully inject fault (i.e. stop the app) within the Springboot app for 5 minutes. User should be unable to access the application.

What issues are we facing?

We are unable to successfully deploy the Chaos Experiment at the time of execution in Azure Chaos Studio due to the following error:

The client '<EmailID>' with object id '<ObjectId>' does not have permission to perform action 'Microsoft.Authorization/roleDefinitions/write' at scope '/subscriptions/<subscriptionId>/resourceGroups/'<resourceGroupName>'/providers/microsoft.web/sites/'<targetSpringBootResourceName>'/providers/Microsoft.Authorization/roleAssignements/'<rresourceID>'

Based on documentation online: https://learn.microsoft.com/en-us/azure/chaos-studio/chaos-studio-tutorial-agent-based-portal, we have followed most steps until before the part where it instructs to "Add role assignments" (This option is disabled on our accounts due to lack of privilege to assign roles on any resource in our Azure environment)

What we are have tried so far...

  • We have contributor access
  • Based on Chaos Studio permissions outlined in https://learn.microsoft.com/en-us/azure/chaos-studio/chaos-studio-permissions-security, we have scoped all the Microsoft.Chaos/* permissions to our resource group in Azure
  • In addition, added the following
    • Microsoft.Web/sites/start/action
    • Microsoft.Web/sites/stop/action
    • Microsoft.Web/sites/read
  • Tried all the above with a system-managed identity
  • Created a user-assigned managed identity in our Azure environment and created custom roles (with permissions) assigned to our user-assigned managed identity
  • Re-provisioned our Springboot API App running in ASE with the user-assigned managed identity to ensure that both Chaos Studio experiment resource and Springboot app resource were created with same user-assigned managed identity

None of the above helped in resolving the issue unfortunately

My question is: How can we execute Azure Chaos Studio experiments on target resources without the need for the Microsoft.Authorization/roleAssignments/write permissions?

We would truly appreciate it if you could please provide your suggestions, documentation links, and/or resources

Azure Chaos Studio
Azure Chaos Studio
An Azure service used to create, run, and analyze chaos experiments to identify resilience gaps in cloud apps.
0 comments
Answer accepted by question author
  1. Q&A Assist
    2025-12-09T14:59:22.2966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To execute Azure Chaos Studio experiments on target resources without requiring the Microsoft.Authorization/roleAssignments/write permission, you need to ensure that your setup adheres to the permissions model of Azure Chaos Studio. Here are some suggestions based on the context provided:

    1. Use Managed Identities: Since you have already tried using both system-assigned and user-assigned managed identities, ensure that the managed identity has the necessary permissions on the target resources. The managed identity should have permissions like Microsoft.Web/sites/start/action and Microsoft.Web/sites/stop/action to perform the desired actions.
    2. Role Assignment: If your account does not have the privilege to assign roles, you may need to work with an Azure administrator who can grant the necessary role assignments to the managed identity. This is crucial as the chaos experiments require specific permissions to execute.
    3. Custom Roles: If you are creating custom roles, ensure that they include all necessary actions related to Chaos Studio and the specific actions for your target resources. The custom role should encompass the permissions required for chaos experiments, including the permissions to read and modify the target resources.
    4. Experiment Permissions: Ensure that you have assigned the correct permissions to the chaos experiment itself. You can use Azure built-in roles such as Chaos Studio Experiment Contributor or Chaos Studio Operator to manage access effectively. These roles can help you create, run, and manage experiments without needing additional role assignment permissions.
    5. Check Resource Onboarding: Make sure that the target resource (your Springboot app) is properly onboarded to Chaos Studio with the required capabilities enabled. If the resource is not onboarded correctly, the experiment may fail to execute.
    6. Documentation Review: Review the Azure documentation on permissions and security in Chaos Studio to ensure that all necessary steps have been followed. This includes verifying that the chaos experiment has the correct permissions assigned and that the target resources are set up correctly.

    If you continue to face issues, it may be beneficial to reach out to Azure support for further assistance, as they can provide insights specific to your Azure environment and permissions setup.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.