Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Not able to update tag with tag contributors role

See original GitHub issue

Describe the bug We are trying to update / add tag to resource group using a service principal. While using PowerShell it is working as expected. But when we are trying to update tag via JAVA sdk we are getting following error

com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '4c6edf90-19ac-6543-9aa5-0bb9994565bb' with object id '4c6edf90-19ac-6543-9aa5-0bb9994565bb' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/20dbcfe8-abcd-4c2d-C002-0927a4b7fffd/resourcegroups/cloud-shell-storage-southcentralus' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client '4c6edf90-19ac-6543-9aa5-0bb9994565bb' with object id '4c6edf90-19ac-6543-9aa5-0bb9994565bb' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/20dbcfe8-abcd-4c2d-C002-0927a4b7fffd/resourcegroups/cloud-shell' or the scope is invalid. If access was recently granted, please refresh your credentials.

To Reproduce

Create a service principal
Attach tag contributor
Run java code to update resource group

Code Snippet

Setup (please complete the following information):

OS: RHEL
IDE : Eclipse

The same setup will allow us to update the tag if we are using PowerShell but it won’t work with Azure CLI / Java SDK. could you please help us to fix it?

We cannot grant a service principal with permission ‘Microsoft.Resources/subscriptions/resourcegroups/write’ as it will gain the capability to update any RGs without any restrtction.

Issue Analytics

State:
Created 3 years ago
Comments:29 (15 by maintainers)

Top GitHub Comments

2reactions

xseeseeseecommented, Jul 23, 2020

@johnakash @santhoshigorle We have released new version 1.36.0. Please try if it works to resolve your issue. Thanks.

1reaction

weidongxu-microsoftcommented, Jun 19, 2020

Hi @santhoshigorle

I am not aware there is a distinguish between environment tag and application tag.

If you would like to add new tag to existing tags, you would need to first get the existing tags, then add new one, finally do the update.

            ResourceGroup resourceGroup = azure.resourceGroups().getByName(RG_NAME);
            Map<String, String> tags = new HashMap<>(resourceGroup.tags());
            tags.put(newTagKey, newTagValue);

            azure.genericResources().manager().inner().resourceGroups()
                    .update(RG_NAME, new ResourceGroupPatchable().withTags(tags));