Azure ADF ARM template deployment failing due to authorization for linked services

0
votes

I was doing ARM template deployment from dev environment to PROD using DevOps pipelines.

Linked service connection parameters are configured in the release pipeline using Override Template parameter option at the time of deployment.

Last day there was migration happened on ADLS from gen1 to Gen2 and I tried to deploy the changes into PROD from DEV using ARM template deployment.

But I am getting the below error and deployment is getting failed...

Authorization failed for template resource 'PROD_DataFactory/LS_PROD_SQLDB' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/LS_PROD_SQLDB'.:
Authorization failed for template resource 'PROD_DataFactory/ADF_KV' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADF_KV'.:
Authorization failed for template resource 'PROD_DataFactory/ADLS_LinkedService_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADLS_LinkedService_v2'.:
Authorization failed for template resource 'PROD_DataFactory/Adfblobstorageitcdatalake' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Adfblobstorageitcdatalake'.:
Authorization failed for template resource 'PROD_DataFactory/Auto_Cluster' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Auto_Cluster'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1_v2'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore2'.:

Out of 30 Linked services, 20 are showing same error. and these were working fine before.

Interesting thing is, I do have 2 key vault connections which will connect to same KV and having same connection parameter. Out of those 2 KV only one is throwing the error and another does not throw any error.

Any idea why this error and why only for few LS?

If it is because of permission for DevOps project on Data Factory, how few Linked services are not throwing error?

1
azure-devopsazure-data-factoryazure-data-factory-2

1 Answers

1
votes

The error looks like the service principal using in the azure subscription service connection in azure devops doesnot have the proper permission.

It could be caused by the Automatically created service principal client secret has expired.

If service principal client secret is not expired. You can check if the service principal has the proper permission and add proper role assignment accordingly.

See below steps to add Data Factory Contributor role to the service principal using in your azure devops for your Azure Data Factory (ie.PROD_DataFactory).

1, Go to project settings of your ADO project-->service connections-->Click your azure subscription service connection-->Click Manage Service Principal

Note: If you already know the service principal. You can skip this step.

enter image description here

2, Go to your Azure Data Factory (ie.PROD_DataFactory). Navigate to the Access control section-->click Add to add role assignment--> Add Data Factory Contributor role to the service principal