Error: LinkedAuthorizationFailed on configurating AppGW

[MohamedBenighil]

Describe the bug We received the following error on deploying our AppGW :

...
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."
...

To Reproduce Follow these steps

Ingress Controller details

• Output of kubectl describe pod -n kube-system ingress-appgw-deployment-76768b7d9d-bvmz9.

  Events:
  Type     Reason                     Age   From                       Message
  ----     ------                     ----  ----                       -------
  Normal   Scheduled                  6s    default-scheduler          Successfully assigned kube-system/ingress-appgw-deployment-76768b
  7d9d-bvmz9 to aks-agentpool-16208625-vmss000000
  Normal   Pulled                     7s    kubelet                    Container image "mcr.microsoft.com/azure-application-gateway/kube
  rnetes-ingress:1.5.2" already present on machine
  Normal   Created                    7s    kubelet                    Created container ingress-appgw-container
  Normal   Started                    6s    kubelet                    Started container ingress-appgw-container
  Warning  FailedApplyingAppGwConfig  6s    azure/application-gateway  network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending
  request: StatusCode=0 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client '26d26833-434a-4094-a124-82ddd684dc0c' wi
  th object id '26d26833-434a-4094-a124-82ddd684dc0c' has permission to perform action 'Microsoft.Network/applicationGateways/write' on sc
  ope '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/ag
  w-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' o
  n the linked scope(s) '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdent
  ity/userAssignedIdentities/id-agw-keyvault-kubota-dev' or the linked scope(s) are invalid."

PS: this issue is similar to this. And i run : az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev

And the permission was added successfully:

But the error mentioned in logs still present.

[akshaysngupta]

@MohamedBenighil This is a bug on AGIC. We will try to address this soon.