New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pool fails - authorization to perform action 'Microsoft.Batch/batchAccounts/pools/write' #154
Comments
How are you authenticating locally when you interact with Batch API? Given the error from Azure Container App (permission error) it seems like you are probably authenticating with two different methods. Can you verify the permissions on the SP you are using with azure container app service (sorry i'm not very familiar with container app service). |
So what I'm doing is explicitly creating a Pool and attaching a UserAssigned identity to it. I'm using DefaultAzureCredential to get a token and supply that to the batchmanagementclien. This works fine locally.
then later...
The odd thing is if I assign the UserManaged identity CONTRIBUTOR role in the batch service it will at least start creating the pool but then fails on provisioning the nodes with: Code: NodePreparationError Message:
Thank you! |
So As an update and for anyone else struggling with this issue, I was able to resolve this by creating a custom role in my resource group which inherits from the existing azure batch role. This seems like something MS could easily do so others wouldn't have to muddle through it. Side-note, I had to also add 'Assign User Assigned Identity' to the custom role. Once I had the role setup I granted my existing UserIdentity the role and everything worked. I'll probably work through removing some of the inherited Batch permissions but for now it's working. |
Problem Description
Running locally and the code to provisioin a pool and mount a fileshare works great. Once I deploy it to Azure container app serivce I get the following:
The client 'a15f98......' with object id 'a15f98.....' does not have authorization to perform action 'Microsoft.Batch/batchAccounts/pools/write' over scope '/subscriptions/235b2f.../resourceGroups/Br..../providers/Microsoft.Batch/batchAccounts/banx.../pools/626916.....' or the scope is invalid. If access was recently granted, please refresh your credentials.
C# .Net Management SDK. Works fine locally.
Any suggestions?
Steps to Reproduce
Expected Results
Pool would be provisioned, fileshare mounted. Works locally.
Actual Results
Additional Logs
Additonal Comments
The text was updated successfully, but these errors were encountered: