Question 282688 in Azure Question posted in
The official documentation to get you started can be found here.

Unable to provision container group in a particular subnet in Azure

I have 2 container images I would like to deploy (https://hub.docker.com/r/neotys/neoload-controller and https://hub.docker.com/r/neotys/neoload-loadgenerator). I would like to deploy them into an existing subnet so that they can access resources on our internal network. However, when I attempt to, I get a resource error:

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Resources/deployments/$CONTAINER_GROUP","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InaccessibleNetworkResource","message":"The client ‘$CLIENT_ID’ with object id ‘$CLIENT_ID’ does not have authorization to perform action ‘Microsoft.Resources/subscriptions/resourcegroups/providers/read’ over scope ‘/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.Network’ or the scope is invalid. If access was recently granted, please refresh your credentials."}]}}

I created the subnet within the desired resource group, so I should have permissions. I can see it in Azure portal.

Tags:

2

Answers


  1. 0

    The error message indicates that the Azure Resource Manager (ARM) client does not have permission to read the resource group. This can happen for a few reasons:

    • The client does not have the necessary permissions on the resource group.
    • The client’s credentials have expired.
    • There is a problem with the Azure Active Directory (Azure AD) service.

    Verify below points suggested by MS for DeploymentFailed error message and also verify your details
    with az account show and upgrade to latest if necessary using az upgrade
    enter image description here

    check the permissions for the user or role that the client is using to access the resource group.
    and finally, if required, create a fresh service principal and grant it the necessary permissions on the resource group

    az ad sp create-for-rbac --name neotys-service-principal

    and get the application ID and client secret for the service principal
    output:
    enter image description here

    Assign this service principal the Reader role on the resource group using

    az role assignment create --assignee neotys-service-principal --role Reader --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP

    and deploy the container groups using

    az container group create --name neotys-controller --image neotys/neoload-controller --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET az container group create --name neotys-loadgenerator --image neotys/neoload-loadgenerator --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET

    Once the container groups have been deployed, you should be able to access them from your internal network.

    Reference documents:
    MS Doc
    Deployment failed error checks

    Login or Signup to reply.
  2. 0

    I don’t have privileges to comment, sorry for that. I am stuck with the same error. This is what I observed the permission in the error is not available in azure portal, whereas another permission is available

    perm not available

    Microsoft.Resources/subscriptions/resourceGroups/providers/read not available

    perm available

    Microsoft.Resources/subscriptions/resourceGroups/read is available

    @Walter can you please explain the corporate process ?

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search