Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Permissions required when tagging resources

See original GitHub issue

I am trying to trying to update tags (adding tags but also removing/updating) on the resources of type Microsoft.Compute.

I have a service principal that has been granted Tag Contributor, however I receive this when updating the tag using the code below:

The client '<guid>' with object id '<guid>' does not have authorisation to perform action 'Microsoft.Compute/disks/write' over scope <resource id> or the scope is invalid.

Please can you take a look at the code below either let me know if it can be modified so I can get away with the tag contributor permission or will I need to grant my service principal a higher level of privileges?


var azureCredentials #set above

using (var client = new Microsoft.Azure.Management.Resources.ResourceManagementClient(azureCredentials))
{
  var tags = new Dictionary<string, string>
  {
   { "environment", "test" },
   { "department", "tech" }
  };

  try
  {
    var result = await client.Resources.CreateOrUpdateAsync(resourceGroupName, resourceIdentity, genericResourceParameters, cts.Token);
    if (result.StatusCode == System.Net.HttpStatusCode.OK)
    {
      System.Console.WriteLine(string.Format("Tags updated for {0}", resource.Name));
      InsertLogEntry(resource.Id, true, null);
    }
  }
  catch (Hyak.Common.CloudException cloudException)
  {
    System.Console.WriteLine(string.Format("Caught Hyak.Common.CloudException when updating {0}, {1}", resource.Name, cloudException.Message));
  }
}

Issue Analytics

State:
Created 3 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

allenjzhangcommented, Mar 18, 2021

I am using Microsoft.Azure.Management.ResourceManager SDK. Here is a sample project I tested with.

1reaction

allenjzhangcommented, Mar 17, 2021

To leverage the tag contributor permission, the call must explicitly go thru tags operation instead of general update operation on the resource. Otherwise the underlying call is a PUT on /provider/Microsoft.Provider/xxx instead of /provider/Microsoft.Provider/xxx/provider/Microsoft.Resource/tags/default which triggers different RBAC.

Here is the sample code. You can look into TagsOperation documentation. Methods without AtScope are creating default tags collections at subscription level vs ones with it applying the tags on each resource (specified with scope). Hope this clears it up.

                    var patchTags = new TagsPatchResource(
                        "Delete",
                        new Tags(new Dictionary<string, string>
                            {
                                { "environment", "test2" },
                                { "department", "tech2" }
                            }));

                    var result = await client.Tags.UpdateAtScopeAsync(
                        "/subscriptions/XXX/resourceGroups/XX/providers/Microsoft.Network/networkSecurityGroups/XXX",
                        patchTags);