This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 32%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '58f5fcf9-1167-4999-9c38-a8b34a3f10b5' with object id '58f5fcf9-1167-4999-9c38-a8b34a3f10b5' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/1783aec1-4a5f-4d3c-8a12-d4a052ab85cb/resourceGroups/azuse-sas-ssod-sdmgt-dev-vpn-rg/providers/Microsoft.Network/virtualNetworks/azuse-sas-ssod-sdmgt-dev-vpn-vnet/subnets/azuse-sas-ssod-sdmgt-dev-node-subnet' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
I have tried to add Netowrk contributor role to my managedIdentity on the resourcegroup and the route "azuse-node-route" I dont see options for doing it on subnet
Just checking in to see if you got a chance to see Shiva response. Please try the suggestion of granting the Contributor role and see if that helps.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
I reached this post with a similar issue.
I'm using a custom virtual network with AKS, to solve this issue, on that virtual network assign the roles Reader and Network Contributor to the Enterprise Application that AKS creates (the one with the object id described in the error message).
Hope it helps anyone getting this error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Desmond Sindatry ,
Can you try giving contributor role to that clientID 58f5fcf9-1167-4999-9c38-a8b34a3f10b5 over the scope of resource group azuse-sas-ssod-sdmgt-dev-vpn-rg
Regards,
Shiva.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 76%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Awesome. Yes this worked. Thanks much.
Can you share why adding the network contributor role not work for the same clientid on the route ? And does it have to be on the RG ?
It should be at the RG level because as per the error message it was complaining about that RG: azuse-sas-ssod-sdmgt-dev-vpn-rg
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
Network Contributor - Lets you manage networks, but not access to them
Regards,
Shiva.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 73%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Some more detail:
The error assumes that only read access is required on the resource group. Giving Reader role on the resource group to the clientId would be enough to solve this error. However, if you do that, a next error will occur, stating that the clientId doesn't have permission to perform 'Microsoft.Network/virtualNetworks/subnets/join/action' on the same subnet.
Granting Network Contributor role on the resource group solves this, but will give the clientId a lot of unnecessary rights. Instead, you could do this in 2 steps, granting Reader role on the resource group, and Network Contributor role only on the specific subnet.