I've been trying to connect Azure monitor to my Grafana dashboard, which is deployed in a Kubernetes cluster. For this I created an app registration in Azure and assigned the 'Reader' role to it. Afterwards I filled in my Azure credentials at the Azure Monitor page in Grafana. I was able to retrieve the right subscription and receive a positive response.
But after this, when I want to open a dashboard, I receive the following error message:
Error updating options: The client '++++' with object id '++++' does
not have authorization to perform action
'microsoft.insights/metricNamespaces/read' over scope
'/subscriptions/++++/resourceGroups/++++;/providers/microsoft.insights'
or the scope is invalid. If access was recently granted, please
refresh your credentials
I'm really stuck now, because I thought that the Reader role would fix this. Anyone experienced this before?
I have tried to assign multiple roles and also created new ones and assigned them to the Grafana app registration. I expect the dashboard to be able to read the data from Azure. There is an connection between Azure and Grafana now, but it is not able to pull the data.
My bad, I figured it out. I needed to assign the Reader role on the subscription level and not only on resource group level. Hopefully this will help someone else in the future.
Related
I am just new to Azure Cloud and Devops, so forgive me if I may forget some critical info here.
So during creation of tasks for the release and selecting subscriptions, I get an error when trying to authorize the subscription (which I suspect is because of insufficient permissions associated to my account), so I go to advanced options to select the managed identity authentication.
After which no error shows now. So I set all remaining items and assign Deploy Azure App Service task. However during the running of the agent I get an error during Deploy Azure App Service step.
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'sample-vue'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
I have already set my azure app service to have a system assigned managed identity, but still this error occurs. I can't find any answer, online, with regards to the error above so hoping that someone could help explain to me the problem and how to possibly fix it. My hunch now is that I may have some insufficient permissions, but I don't know what it may be.
Please try the following items:
Remove and re-add the service connection in DevOps.
Check the rights of the account on Azure subscription. Please verify if the account has at least contributor access on Azure subscriptions. Check https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings:
I am running Kubeflow pipeline(docker approach) and cluster uses the endpoint to navigate to the dashboard. The Clusters is created followed by the instructions mentioned in this link Deploy Kubeflow. Everything is successfully created and the cluster generated the endpoints and its working perfectly.
Endpoint link would be something like this https://appname.endpoints.projectname.cloud.goog.
Every workload of the pipeline is working fine except the last one. In the last workload, I am trying to submit a job to the cloud-ml engine. But it logs shows that the application has no access to the project. Here is the full image of the log.
ERROR:
(gcloud.ml-engine.versions.create) PERMISSION_DENIED: Request had
insufficient authentication scopes.
ERROR:
(gcloud.ml-engine.jobs.submit.prediction) User
[clustername#project_name.iam.gserviceaccount.com]
does not have permission to access project [project_name]
(or it may not exist): Request had insufficient authentication scopes.
From the logs, it's clear that this service account doesn't have access to the project itself. However, I tried to give access for Cloud ML Service to this service account but still, it's throwing the same error.
Any other ways to give Cloud ML service credentials to this application.
Check two things:
1) GCP IAM: if clustername-user#projectname.iam.gserviceaccount.com has ML Engine Admin permission.
2) Your pipeline DSL: if the cloud-ml engine step calls apply(gcp.use_gcp_secret('user-gcp-sa')), e.g. https://github.com/kubeflow/pipelines/blob/ea07b33b8e7173a05138d9dbbd7e1ce20c959db3/samples/tfx/taxi-cab-classification-pipeline.py#L67
I have been trying to create a Kubernetes Cluster with my Bluemix account owner but always getting the following error upon creation:
IBM Cloud Infrastructure exception: Your account is currently prohibited from order 'Computing Instances'.
Any idea what the issue is? There seems to be no direct way to getting support from Public Bluemix to address this issue. We opened a ticket but it has not been addressed.
You should contact IBM Bluemix Support for this kind of question. Before you login to the Bluemix Console, there is a Support link.
From the look of the exception. It seen like you are trying to create a "second" kubernetes cluster. If this is what you are trying to do, you will need a SoftLayer account; or your ID in your SoftLayer account is not setup properly.
You need admin rights to create clusters in Bluemix. Just makes sure that you get the admin status and it should work for you. The normal permissions granted to you are that of an user. Hope this helps
I have a Bluemix account with organization defined, but when I login to IoTF via the webpage https://internetofthings.ibmcloud.com/ my organization is not shown. I see a message that says "You are not a member of any organization".
I am unable to add any devices as a result. What could be causing this issue?
The likely explanation is that you were a temporary member of your IoTF organization and that has subsequently expired.
When you create an IoTF service using Bluemix, an IoTF organization is created and your IBM ID is added as a temporary member. This temporary membership expires after 24 hours and the effect is similar to what you are describing.
If you were to access IoTF using the service tile in Bluemix (Launch Dashboard) then you would be logged straight in to your organization. At this point you will be able to add members (including yourself) to the IoTF organization and then be able to log in directly at https://internetofthings.ibmcloud.com/
The reason for this is that if a Bluemix user created an IoTF service, there is not necessarily the affirmation that that user will forever be authorized to access it. By making that user a temporary member, it is able to log in directly for 24 hours only until the ID is added as a permanent member, or that user always accesses the IoTF dashboard using the Bluemix service tile. The intention is that without positive action the user creating the service will still need access in Bluemix, in order to access IoTF.