search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
6.15k stars 4.18k forks source link

Microsoft.Resources/deployments/operationStatuses/read error #848

Open floari opened 1 year ago

floari commented 1 year ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Create Azure RG Set Owner Permission to RG Set CustomRole with "Microsoft.Resources/deployments/write" to Subscription deploy

Any log messages given by the failure

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details: AuthorizationFailed: The client 'xxxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/xxxxx/providers/Microsoft.Resources/deployments/xxxxx/operationStatuses/08585035367462556292' or the scope is invalid. If access was recently granted, please refresh your credentials.

Expected/desired behavior

Successfull deployment

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Windows 10

azd version?

run azd version and copy paste here.

1.4.2

Versions

Mention any other details that might be useful

Thanks! We'll be in touch soon.

pamelafox commented 1 year ago

@vhvb1989 Does a developer also need Microsoft.Resources/deployments/operationStatuses/read for a standard azd deployment? If so, our README needs updating. And/or perhaps there's a script we can provide that'd make exactly the roles required for azd deployment.

vhvb1989 commented 1 year ago

Yes, azd needs to list all deployments from the subscription, as it will try to find a previous deployment with the tag with the name of the environment.

@floari , are you running azd up or azd provision (or it doesn't matter) ?

Can you provide the logs adding --debug flag when running the command? Thank you

vhvb1989 commented 1 year ago

@pamelafox , azd usually relies on the user as a Subcription-contributor/owner/admin.

We don't have a list of individual roles required for each azd-command. I'll create an issue for this and check with the team if we want to create and maintain such list.

vhvb1989 commented 1 year ago

azd issue to follow up: https://github.com/Azure/azure-dev/issues/2899

floari commented 1 year ago

@vhvb1989

2023/10/24 07:18:05 main.go:48: Retry: response 403 2023/10/24 07:18:05 main.go:48: Retry: exit due to non-retriable status code 2023/10/24 07:18:05 main.go:48: LongRunningOperation: END PollUntilDone() for *async.Poller[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources.DeploymentsClientCreateOrUpdateAtSubscriptionScopeResponse]: GET https://management.azure.com/subscriptions/XXXXXXX/providers/Microsoft.Resources/deployments/XXXXX-1698131884/operationStatuses/08585034749990621743

RESPONSE 403: 403 Forbidden ERROR CODE: AuthorizationFailed

{ "error": { "code": "AuthorizationFailed", "message": "The client 'XXXXX' with object id 'XXXXX' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/XXXXX/providers/Microsoft.Resources/deployments/XXXXX-1698131884/operationStatuses/08585034749990621743' or the scope is invalid. If access was recently granted, please refresh your credentials." } }

, total time: 34.346387ms

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details: AuthorizationFailed: The client 'XXXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/XXXXX/providers/Microsoft.Resources/deployments/XXXX-1698131884/operationStatuses/08585034749990621743' or the scope is invalid. If access was recently granted, please refresh your credentials.

TraceID: 336d7520a46447a0fef34d6816adc905

github-actions[bot] commented 10 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed.