Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
403 Error when creating AKS cluster.
See original GitHub issueCLI version 2.0.62 with AKS-Preview extension (0.3.0)
Describe the bug I am able to create AKS cluster from portal, but cannot create it with CLI due to 403 error. Error states that I’m lacking ‘resourceGroups/write’ permission on linked scope ‘providers/Microsoft.ContainerService/managedClusters/azureuser’ in the same resource group.
The “azureuser” is unexpected and this is linux node ssh user, not a cluster name.
To Reproduce
- See additional context to setup user permissions
- Deploy cluster with CLI
az aks create --resource-group rgname --name clustername --node-count 3 --kubernetes-version 1.12.7 --node-vm-size Standard_DS2_v2 --generate-ssh-keys - I receive following error:
The client '...' with object id '…’ has permission to perform action 'Microsoft.ContainerService/managedClusters/write' on scope '/subscriptions/…/resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/clustername'; however, it does not have permission to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' on the linked scope(s) '/subscriptions/…/resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/azureuser'. - When I add extra parameter --admin-username azureuser2 error is following:
The client '...' with object id '…’ has permission to perform action 'Microsoft.ContainerService/managedClusters/write' on scope '/subscriptions/…/resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/clustername'; however, it does not have permission to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' on the linked scope(s) '/subscriptions/…/resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/azureuser2'.
Expected behavior I believe CLI checks extra permissions that are not needed for deployment (portal deployment works). Probably there is formatting bug that substitutes --admin-username instead of --name somwhere in the code.
Environment summary Windows 10, 1803
Additional context My AAD user has custom role on RG where AKS is deployed.
- Contributor permission to all resources in RG
- No resourceGroup/write permission – to avoid changing RG properties, e.g. tags.
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Please note, that issue was about incorrect cli parameter handling (–azure-username) not permissions 😃
@mgrabarz Thanks for your reply. We will now proceed with closure of this github issue. If you need any further assistance on this issue in future, please feel free to reopen this thread. We would be happy to help.