Azure Java SDK - Can't add resource locks

0
votes

I have a simple code that creates ContainerGroup:

ContainerGroup instance = azure.containerGroups()
                <truncated>
                .create();

After instance has been created I would like to create delete lock:

azure.managementLocks().define("preventDelete").withLockedResource(instance).withLevel(LockLevel.CAN_NOT_DELETE).create();

The lock is never created failing with following error:

Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '' with object id '' does not have authorization to perform action 'Microsoft.Authorization/locks/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.ContainerInstance/containerGroups//providers/Microsoft.Authorization/locks/preventDelete' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Works flawlessly using Azure UI. Any ideas?

2
azureazure-java-sdk
According to the error message, you do not have enough permissions to create resource lock. Could you please check the service principal's permissions you used to do auth in your application?Jim Xu

2 Answers

0
votes

According to the error message, you do not have enough permissions to create resource locks. In fact, to create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions. For more details, please refer to the article. Please check the service principal's permisisons you used to do auth in your application.

Regarding how to check it, please refer to the following script

Connect-AzAccount

$role=Get-AzRoleAssignment -ObjectId <object id of service principal or user>

Get-AzRoleDefinition -Id $role.RoleDefinitionId
0
votes

Ended up using Azure CLI instead of SDK:

az lock create --lock-type CanNotDelete --name PreventDelete --resource <resourceId>