Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client refresh / credential caching issues in dev and prod #66

Closed
jim-minter opened this issue Jan 11, 2020 · 4 comments
Closed

Client refresh / credential caching issues in dev and prod #66

jim-minter opened this issue Jan 11, 2020 · 4 comments
Assignees
@amanohar
Labels
priority-high High priority issue or pull request size-medium Size medium

Comments

@jim-minter
Copy link
Member

Saw an az aro create fail with the following storage deployment error messages:

{
    "error": {
        "code": "AuthorizationFailed",
        "message": "The client 'b9bc1545-a684-4e50-9a4d-2e2ee90bed6a' with object id 'b9bc1545-a684-4e50-9a4d-2e2ee90bed6a' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/write' over scope '/subscriptions/225e02bc-43d0-43d1-a01a-17e584a4ef69/resourcegroups/aro-6hwuovvq/providers/Microsoft.Storage/storageAccounts/clusterixgbq' or the scope is invalid. If access was recently granted, please refresh your credentials."
    }
}

Need to understand how to fix this.
@jim-minter jim-minter added priority-high High priority issue or pull request size-medium Size medium labels Jan 11, 2020
@mjudeikis mjudeikis mentioned this issue Jan 24, 2020
Closed
@jim-minter
Copy link
Member Author

@julienstroheker we sometimes see this error, both in dev and in prod. It is like https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting#rbac-changes-are-not-being-detected . I assume there is some caching somewhere in ARM. I understand we should make the RBAC change, then refresh our access token; the problem is I think we are doing that correctly and we still get the error occasionally. Please can you look into this and try to understand what else we need to do? Does the v3 RP do additional tricks here?

@asalkeld
Copy link
Contributor

I also get this too

ERRO[2020-02-21T12:01:30+10:00] pkg/frontend/frontend.go:268 frontend.reply() authorization.PermissionsClient#ListForResource: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '99d7cb4b-e087-4c94-8ced-3e15b07a870a' with object id '99d7cb4b-e087-4c94-8ced-3e15b07a870a' does not have authorization to perform action 'Microsoft.Authorization/permissions/read' over scope '/subscriptions/225e02bc-43d0-43d1-a01a-17e584a4ef69/resourcegroups/v4-australiasoutheast/providers/Microsoft.Network/virtualNetworks/dev-vnet/providers/Microsoft.Authorization' or the scope is invalid. If access was recently granted, please refresh your credentials."  component=frontend correlation-id= request-id=9bac8f35-12df-4aaa-8f9f-74f70c075979

@mjudeikis mjudeikis mentioned this issue Mar 5, 2020
Merged
@jim-minter
Copy link
Member Author

https://gist.github.com/mjudeikis/81dc0f875d794992fb724df1f0c0ada8

@jim-minter
Copy link
Member Author

dynamic validation has moved to backend, closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amanohar amanohar

Labels
priority-high High priority issue or pull request size-medium Size medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@asalkeld @jim-minter @julienstroheker @amanohar