In my Azure Bicep deployment, I am deploying on to a resource group (RG2) trying to refer Azure resources (eg: Service Bus) from another resource group (RG1) using the "scope" property.
eg:
name: resourceNames.storageAccountName
scope: resourceGroup(resourceNames.coreRG)
}
Whenever I am using scope, it gives me an error:
"The client '[email protected]' with object id 'xxx' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/xxx/resourcegroups/yyyy/providers/Microsoft.Web/sites/zzzz' or the scope is invalid. If access was recently granted, please refresh your credentials."
However, if i remove the scope and deploy everything to the same resourcegroup (RG1) it works successfully.
I am trying it on my personal subscription to rule out any permissions issues.
I have the following permission :
Service Administrator : Has full access to all resources in the subscription
I even added "Contributor" to RG1 as an add-on but it did not help.
Any help will be appreciated.
2
Answers
I did have "Contributor" permissions on both Resource Groups.
As simple and silly as it seems, the issue was due to a wrong Resource Group name (missed out a suffix).
The error was not very helpful and I suppose its more inclined to this part of the error message: or the scope is invalid
Thanks all for your help !
This error occurs when you have lack of permissions to access or retrieve the resources from resource groups.
Firstly, make sure that you have
read
permissions on resource group (RG1) according to the errorMicrosoft.Web/sites/read
.And you need to have
Contributor
permissions on resource group (RG2) to deploy the resources into it.Contributor
is the at least role you need to provide for both resource groups in this scenario.Add a
reader
role to the RG1 using Azure Portal or below CLI command.az role assignment create --role
.Or as @Thomas suggested,
Owner
orContributor
role at the subscription level will give you full access without any restrictions.