403 for 'Microsoft.StoragePool/register/action'

geohacker commented 2 years ago

The switch over to HOT's Azure account resulted in an error:

 Original Error: Cannnot register providers: Microsoft.StoragePool. Errors were: Cannot register provider Microsoft.StoragePool with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.StoragePool/register/action' over scope '/subscriptions/***' or the scope is invalid. If access was recently granted, please refresh your credentials.".

Not sure how much trust this error message itself but I think we should try creating a custom role with the Microsoft.StoragePool/register/action action. Here are the steps to do that:

Save role definition as a json file `osm-seed-role.json`

{
    "Name": "OSM Seed Deployer",
    "IsCustom": true,
    "Description": "Can create and maintain an OSM Seed Stack.",
    "Actions": [
      "Microsoft.StoragePool/register/action"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
      "/subscriptions/{subscriptionId}"
    ]
}

Create the role

az role definition create --role-definition osm-seed-role.json

Assign the role

az role assignment create --assignee "{service_principal_object_id}" \
--role "OSM Seed Deployer" \
--scope "/subscriptions/{id}/resourceGroups/{osm-seed_rg_name}"

dakotabenjamin commented 2 years ago

Still the same error: https://github.com/hotosm/tf-azure-osm-seed/runs/5483573685?check_suite_focus=true

geohacker commented 2 years ago

This is resolved. Had to add additional roles and modify the custom role to provide write access for role assignments. All are updated in the README.md

hotosm / tf-azure-osm-seed