application-gateway-kubernetes-ingress
application-gateway-kubernetes-ingress copied to clipboard
Published
20 hours ago •
Azure
Azure
Error: LinkedAuthorizationFailed on configurating AppGW
Describe the bug We received the following error on deploying our AppGW :
...
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."
...
To Reproduce Follow these steps
Ingress Controller details
- Output of
kubectl describe pod -n kube-system ingress-appgw-deployment-76768b7d9d-bvmz9.
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 6s default-scheduler Successfully assigned kube-system/ingress-appgw-deployment-76768b
7d9d-bvmz9 to aks-agentpool-16208625-vmss000000
Normal Pulled 7s kubelet Container image "mcr.microsoft.com/azure-application-gateway/kube
rnetes-ingress:1.5.2" already present on machine
Normal Created 7s kubelet Created container ingress-appgw-container
Normal Started 6s kubelet Started container ingress-appgw-container
Warning FailedApplyingAppGwConfig 6s azure/application-gateway network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending
request: StatusCode=0 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client '26d26833-434a-4094-a124-82ddd684dc0c' wi
th object id '26d26833-434a-4094-a124-82ddd684dc0c' has permission to perform action 'Microsoft.Network/applicationGateways/write' on sc
ope '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/ag
w-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' o
n the linked scope(s) '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdent
ity/userAssignedIdentities/id-agw-keyvault-kubota-dev' or the linked scope(s) are invalid."
PS: this issue is similar to this. And i run :
az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev
And the permission was added successfully:
But the error mentioned in logs still present.
@MohamedBenighil This is a bug on AGIC. We will try to address this soon.
