azure-search-openai-demo icon indicating copy to clipboard operation
azure-search-openai-demo copied to clipboard

Published 20 hours ago verified publisher icon Azure-Samples

Microsoft.Resources/deployments/operationStatuses/read error

Open floari opened this issue 2 years ago • 6 comments
trafficstars

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Create Azure RG Set Owner Permission to RG Set CustomRole with "Microsoft.Resources/deployments/write" to Subscription deploy

Any log messages given by the failure

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details: AuthorizationFailed: The client 'xxxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/xxxxx/providers/Microsoft.Resources/deployments/xxxxx/operationStatuses/08585035367462556292' or the scope is invalid. If access was recently granted, please refresh your credentials.

Expected/desired behavior

Successfull deployment

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Windows 10

azd version?

run azd version and copy paste here.

1.4.2

Versions

Mention any other details that might be useful

Thanks! We'll be in touch soon.

floari avatar Oct 23 '23 15:10 floari

@vhvb1989 Does a developer also need Microsoft.Resources/deployments/operationStatuses/read for a standard azd deployment? If so, our README needs updating. And/or perhaps there's a script we can provide that'd make exactly the roles required for azd deployment.

pamelafox avatar Oct 23 '23 22:10 pamelafox

Yes, azd needs to list all deployments from the subscription, as it will try to find a previous deployment with the tag with the name of the environment.

@floari , are you running azd up or azd provision (or it doesn't matter) ?

Can you provide the logs adding --debug flag when running the command? Thank you

vhvb1989 avatar Oct 23 '23 22:10 vhvb1989

@pamelafox , azd usually relies on the user as a Subcription-contributor/owner/admin.

We don't have a list of individual roles required for each azd-command. I'll create an issue for this and check with the team if we want to create and maintain such list.

vhvb1989 avatar Oct 23 '23 22:10 vhvb1989

azd issue to follow up: https://github.com/Azure/azure-dev/issues/2899

vhvb1989 avatar Oct 23 '23 23:10 vhvb1989

@vhvb1989

2023/10/24 07:18:05 main.go:48: Retry: response 403 2023/10/24 07:18:05 main.go:48: Retry: exit due to non-retriable status code 2023/10/24 07:18:05 main.go:48: LongRunningOperation: END PollUntilDone() for *async.Poller[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources.DeploymentsClientCreateOrUpdateAtSubscriptionScopeResponse]: GET https://management.azure.com/subscriptions/XXXXXXX/providers/Microsoft.Resources/deployments/XXXXX-1698131884/operationStatuses/08585034749990621743

RESPONSE 403: 403 Forbidden ERROR CODE: AuthorizationFailed

{ "error": { "code": "AuthorizationFailed", "message": "The client 'XXXXX' with object id 'XXXXX' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/XXXXX/providers/Microsoft.Resources/deployments/XXXXX-1698131884/operationStatuses/08585034749990621743' or the scope is invalid. If access was recently granted, please refresh your credentials." } }

, total time: 34.346387ms

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details: AuthorizationFailed: The client 'XXXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Resources/deployments/operationStatuses/read' over scope '/subscriptions/XXXXX/providers/Microsoft.Resources/deployments/XXXX-1698131884/operationStatuses/08585034749990621743' or the scope is invalid. If access was recently granted, please refresh your credentials.

TraceID: 336d7520a46447a0fef34d6816adc905

floari avatar Oct 24 '23 07:10 floari

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed.

github-actions[bot] avatar Jan 06 '24 01:01 github-actions[bot]

Thanks for reporting this and sorry for the confusion. The AuthorizationFailed on Microsoft.Resources/deployments/.../operationStatuses/read occurs because azd performs subscription-scoped deployments and polling, which require subscription-level permissions. We’ve updated the README to explicitly call out the needed rights (Microsoft.Authorization/roleAssignments/write and Microsoft.Resources/deployments/write). For constrained environments, consider the resource-group–scoped deployment path described in the docs. A more granular permission matrix is being tracked upstream (Azure/azure-dev#2899).

Closing this as addressed in docs. If you still hit this after granting the required permissions or see a gap in the documentation, please comment and we can reopen.

pamelafox avatar Aug 25 '25 23:08 pamelafox