search

Azure / Azure-Spring-Apps

Azure Spring Cloud
MIT License
8 stars 5 forks source link

AuthorizationFailed need permission for 'Microsoft.AppPlatform/Spring/gateways/listEnvSecrets/action' #37

Open ezYakaEagle442 opened 1 year ago

ezYakaEagle442 commented 1 year ago

Describe the bug

The client 'xxxx@vmware.com' with object id 'XXXXXX does not have authorization to perform action 'Microsoft.AppPlatform/Spring/gateways/listEnvSecrets/action' over scope '/subscriptions/xxxx/resourceGroups/rg-iac-asa-petclinic-mic-srv/providers/Microsoft.AppPlatform/Spring/asae-petcliasa/gateways/default' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

To Reproduce Steps to reproduce the behavior:

  1. Create a guest User on the Tenant
  2. At the ASA-E level, click on IAM
  3. Add role 'Azure Spring Cloud Data Reader' to this user
  4. Ask this guest user to connect to the portal
  5. Ask this guest user to switch Directory to go your Tenant
  6. Ask this guest user to click on the Azure Spring Cloud Gateway

Expected behavior A clear and concise description of what you expected to happen.

A Built-in role should be created and documented

Screenshots ASA-E _ Spring Cloud Gateway Custom Role

Additional context I had to create a custom Role and add permission 'Other: List environment variables secret for Microsoft Azure Spring Apps Spring Cloud Gateway '

Can we contact you for additional details? Y

If yes, please send us your contact information to AzureSpringCloud-Talk@service.microsoft.com and include the issue number in the email title.

ezYakaEagle442 commented 1 year ago

This should be documented at https://learn.microsoft.com/en-us/azure/spring-apps/how-to-permissions?tabs=Azure-portal

ninpan-ms commented 1 year ago

I have created a bug internally to track the issue and will add it to our document soon.

ninpan-ms commented 1 year ago

Tracked by another issue: https://github.com/Azure/Azure-Spring-Apps/issues/22

ninpan-ms commented 1 year ago

@ezYakaEagle442 I was trying to reproduce, but I found that the role "Azure Spring Cloud Data Reader" is not sufficient even for opening the service blade. Then I created a custom role which contains all permission of the role "Contributor" but without "gateways/listEnvSecrets" and then assign to a user. image

The user can not access the service, but when the Spring Cloud Gateway blade opens, it popped up error like below which is excepted: image

Is that the same as what you meet?