This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 66%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
I'm trying to create an AKS service with static pre-defined public IP. For that I'm using terraform.
The important parts
resource "azurerm_public_ip" "public_ip" {
allocation_method = "Static"
location = azurerm_resource_group.rg.location
name = "${local.resource_name_prefix}-PublicIp1"
resource_group_name = azurerm_resource_group.rg.name
sku = "Standard"
tags = local.common_tags
}
resource "azurerm_kubernetes_cluster" "aks" {
location = azurerm_resource_group.rg.location
name = "${local.resource_name_prefix}-aks"
resource_group_name = azurerm_resource_group.rg.name
default_node_pool {
name = "system"
vm_size = "Standard_DS2_v2"
vnet_subnet_id = azurerm_subnet.app_subnet.id
upgrade_settings {
max_surge = "30"
}
}
network_profile {
network_plugin = "kubenet"
load_balancer_sku = "Standard"
load_balancer_profile {
outbound_ip_address_ids = [ azurerm_public_ip.public_ip.id ]
}
}
role_based_access_control {
enabled = true
}
}
the virtual network + subnets are also pre-defined.
now when trying to install istio using istioctl install, istio-ingressgateway Loadbalancer is failing on
{
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Network/loadBalancers/write' on scope '/subscriptions/xxxx/resourceGroups/xxx_rg/providers/Microsoft.Network/loadBalancers/kubernetes'; however, it does not have permission to perform action 'Microsoft.Network/publicIPAddresses/join/action' on the linked scope(s) '/subscriptions/xxx/resourceGroups/xxx-rg/providers/Microsoft.Network/publicIPAddresses/xxx-PublicIp1' or the linked scope(s) are invalid."
}
}
Any help will be greatly appreciated
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Roy Brener ,
Can you try giving "Network Contributor" access to the client mentioned in that error message ?
Try out providing Network Contributor access on the resource group level under which that PublicIP address is there.
Azure CLI Commands:
az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role Contributor
az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role NetworkContributor
Regards,
Shiva.