Resource Manager Template with Azure Registry Credential using login credential

Ramnath Muralidhar 1 Reputation point
2020-09-17T10:20:40.703+00:00

I have written a JSON script MyContainer.json, using Resource Manager Template to deploy a container.
The specified Registry credentials in the script as given below. 

"imageRegistryCredentials": [   
{  
"server": "myregistry.azurecr.io",   
"username": "myaccount@mytenant.onmicrosoft.com",  
"password": "XYZ"  
}

We wrote this JSON script as specified in the link https://video2.skills-academy.com/en-us/azure/container-instances/container-instances-volume-azure-files

We have also disabled the access key for the Azure registry for admin user as shown in the image RegDisAccKey.png

25592-regdisacckey.png

We deploy this JSON file to create the container with the given below command.
az deployment group create --resource-group MyResource --template-file MyContainer.json --debug

I am getting the following below error, as AutherizationFailed.

cli.azure.cli.core.util : Azure Error: AuthorizationFailed
Message: The client 'myaccount@mytenant.onmicrosoft.com' with object id 'b13d6d27-0359-4ba3-88b1-5c1c5a4ff6bb' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/ABCD-EFGH-IJKL/resourcegroups/MyResource/providers/Microsoft.Resources/deployments/MyContainer' or the scope is invalid. If access was recently granted, please refresh your credentials.
Azure Error: AuthorizationFailed
Message: The client 'myaccount@mytenant.onmicrosoft.com' with object id 'b13d6d27-0359-4ba3-88b1-5c1c5a4ff6bb' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/ABCD-EFGH-IJKL/resourcegroups/MyResource/providers/Microsoft.Resources/deployments/MyContainer' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have also attached the complete debug error of the failure in azdeperr.txt

25565-azdeperr.txt

How do I create a container using RMT without specifying the Access Key of the Admin User and just be using my Azure login credentials? Is there any special authorization I need in order to successfully run and deply the container?

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
670 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. prmanhas-MSFT 17,901 Reputation points Microsoft Employee
    2020-09-18T18:21:06.26+00:00

    @Ramnath Muralidhar Firstly, apologies for the delay in responding on this and any inconvenience this issue may have caused

    I tried to do the repro in my lab with respect to the article you mentioned.

    Initially I tried with the most basic role i.e., Reader role over the Subscription but I was running into the same error as yours.

    I then tried with Contributor role over the subscription and I was able to go through the tutorial without any issue.

    Contributor grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC. You can read more about it here.

    Moreover any role that supports the 'Microsoft.Resources/deployments/validate/action' action should work. Here is a list of builtin roles and supported actions.

    You need to add user as contributor or role having required permission over Subscription or Resource Group or Resource as below:

    Go to Azure Portal >>Subscriptions>>IAM >> Add Role Assignment:

    25850-image.png

    25872-image.png

    You can read more about Role Assignments here.

    Hope it helps!!!

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

    0 comments
  2. Ramnath Muralidhar 1 Reputation point
    2020-09-23T12:30:19.023+00:00

    We tried as you suggested and we also tried giving the user with Global Admin rights. We are now getting a different error. We have attached the complete debug log (azdeplerr1.txt) and the telemetry log (telemetry.txt).

    As mentioned earlier when we try, access key for the Azure registry for admin user, it works perfectly all right. But when we try with our Azure User Account and the credential we are getting the above.

    We are specifying the credential in the imageRegistryCredentials object in the JSON file. Is there any other object to specify the Azure User AD account so that this will work for the normal AD user account?

    27042-azdeplerr1.txt27132-telemetry.txt