search

Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.59k stars 821 forks source link

AuthorizationFailed #23235

Closed aohanhongzhi closed 1 month ago

aohanhongzhi commented 1 month ago

Service Package Request

https://github.com/Azure-Samples/azure-sdk-for-go-samples.git

https://github.com/Azure-Samples/azure-sdk-for-go-samples/tree/main/sdk/resourcemanager/network/securitygroups

I have create a App registrations but I don't know how connect it to my vm resource

image

GOROOT=/opt/eric/go #gosetup
GOPATH=/home/eric/Project/Go #gosetup
GOPROXY=https://goproxy.cn,direct #gosetup
GONOPROXY= #gosetup
/opt/eric/go/bin/go build -o /home/eric/.cache/JetBrains/GoLand2024.2/tmp/GoLand/___go_build_github_com_Azure_Samples_azure_sdk_for_go_samples_sdk_resourcemanager_network_securitygroups github.com/Azure-Samples/azure-sdk-for-go-samples/sdk/resourcemanager/network/securitygroups #gosetup
/home/eric/.cache/JetBrains/GoLand2024.2/tmp/GoLand/___go_build_github_com_Azure_Samples_azure_sdk_for_go_samples_sdk_resourcemanager_network_securitygroups
2024/07/23 11:18:19 PUT https://management.chinacloudapi.cn/subscriptions/75a2691b-c0a3-410f-9ea1-2aff67fcb91c/resourcegroups/vm-rblc-grow-put_group
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '3e743de1-81c1-4cc4-a0f3-4055a21b1d1f' with object id '3e743de1-81c1-4cc4-a0f3-4055a21b1d1f' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/75a2691b-c0a3-410f-9ea1-2aff67fcb91c/resourcegroups/vm-rblc-grow-put_group' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}
--------------------------------------------------------------------------------

Process finished with the exit code 1
jhendrixMSFT commented 1 month ago

@chlowell do we have an e2e example for this?

chlowell commented 1 month ago

Judging by the error message, it appears what's missing here is assigning a role to the service principal allowing it to add resources to the resource group, such as the built-in "Contributor" role. We have this document describing RBAC (Role Based Access Control) for SDK users. It's based on the Microsoft Learn's RBAC overview and role assignment guide.

@aohanhongzhi can you please try adding a role assignment for your service principal? "Contributor" scoped to the resource group should suffice.

github-actions[bot] commented 1 month ago

Hi @aohanhongzhi. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

aohanhongzhi commented 1 month ago

Judging by the error message, it appears what's missing here is assigning a role to the service principal allowing it to add resources to the resource group, such as the built-in "Contributor" role. We have this document describing RBAC (Role Based Access Control) for SDK users. It's based on the Microsoft Learn's RBAC overview and role assignment guide.

@aohanhongzhi can you please try adding a role assignment for your service principal? "Contributor" scoped to the resource group should suffice.

thanks for your reply , I want to update networkSecurityGroups , But I didn't find any role which have the 'Microsoft.Network/networkSecurityGroups/write' permission. so could you tell me which role have the permission.

Snipaste_2024-07-23_16-56-44

all role(only 35) here:

Snipaste_2024-07-24_09-28-22

Snipaste_2024-07-24_09-28-53

Is there any permission that hasn't been granted to me?

chlowell commented 1 month ago

The "Contributor" role I mentioned above is a "privileged administrator role" listed separately:

image

The less privileged Network Contributor role should do as well, it has Microsoft.Network/* permissions.

If you can't find appropriate built-in roles, you can define a custom role.

github-actions[bot] commented 1 month ago

Hi @aohanhongzhi. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

github-actions[bot] commented 1 month ago

Hi @aohanhongzhi, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.