skip to Main Content

In my Azure Bicep deployment, I am deploying on to a resource group (RG2) trying to refer Azure resources (eg: Service Bus) from another resource group (RG1) using the "scope" property.

eg:

  name: resourceNames.storageAccountName  
  scope: resourceGroup(resourceNames.coreRG)
}

Whenever I am using scope, it gives me an error:

"The client '[email protected]' with object id 'xxx' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/xxx/resourcegroups/yyyy/providers/Microsoft.Web/sites/zzzz' or the scope is invalid. If access was recently granted, please refresh your credentials."

However, if i remove the scope and deploy everything to the same resourcegroup (RG1) it works successfully.

I am trying it on my personal subscription to rule out any permissions issues.
I have the following permission :
Service Administrator : Has full access to all resources in the subscription

I even added "Contributor" to RG1 as an add-on but it did not help.

Any help will be appreciated.

2

Answers


  1. Chosen as BEST ANSWER

    I did have "Contributor" permissions on both Resource Groups.

    As simple and silly as it seems, the issue was due to a wrong Resource Group name (missed out a suffix).

    The error was not very helpful and I suppose its more inclined to this part of the error message: or the scope is invalid

    Thanks all for your help !


  2. "The client ‘[email protected]’ with object id ‘xxx’ does not have authorization to perform action ‘Microsoft.Web/sites/read’ over scope " xx"

    This error occurs when you have lack of permissions to access or retrieve the resources from resource groups.

    Firstly, make sure that you have read permissions on resource group (RG1) according to the error Microsoft.Web/sites/read.

    And you need to have Contributor permissions on resource group (RG2) to deploy the resources into it.

    Contributor is the at least role you need to provide for both resource groups in this scenario.

    Add a reader role to the RG1 using Azure Portal or below CLI command.
    az role assignment create --role .

    az role assignment create --assignee xxxx.onmicrosoft.com --role Reader --scope ""
    

    enter image description here

    Or as @Thomas suggested, Owner or Contributor role at the subscription level will give you full access without any restrictions.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search