Cannot create Azure AKS cluster: CreateRoleAssignmentError

1
votes

I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:

RoleAssignmentReconciler retry timed out: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'foo' with object id 'foo' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az

Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.

Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:

The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'foo' was not found in the directory 'bar'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID: bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13 15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13 15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})

I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?

2
azureazure-active-directoryazure-aksazure-rbac
as far as I know, usually just pressing create again if you see the second error (if you are using the portal) will fix it. for the first error, its a bit hard to say whats going on, but you need to have the appropriate permission (and if you think you do have them, it doesn't mean you do). doesn't matter what permissions the SP has.4c74356b41
Does the client “foo” has the "User Access Administrator" role on the subscription? Does “foo” corresponds to your own user (the one you’re logged in in the portal)?Alessandro Vozza
you dont need those permissions for the SP (in fact you dont need any permissions for the SP), it will grant necessary permissions to it when it provisions AKS, on top of that you dont need to be User Access Administrator to successfully create properly working AKS4c74356b41
well, you do, when you use a custom vnet. You (your user/SP) assigns Network Contributor role to the vnet to the AKS SP, and for that you need the User Access Admin role.Alessandro Vozza
Hi @AlessandroVozza. "foo" in the error above is an Object ID which is new every time I attempt to create a cluster. It does not correspond to the Object ID of the logged in user, nor the AAD application id (service principal). So, I'm not even sure what this object is and when/how is it created. Is there a way to find/describe an object by its ID?Timur

2 Answers

1
votes

as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:

enter image description here

I have an AKS template that needs contributor role to work + this custom role:

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")

AKS clusters created by code using this role + contributor are fully functional.

User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.

1
votes

In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.

Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.