azurecontainers

Unable to provision container group in a particular subnet in Azure


I have 2 container images I would like to deploy (https://hub.docker.com/r/neotys/neoload-controller and https://hub.docker.com/r/neotys/neoload-loadgenerator). I would like to deploy them into an existing subnet so that they can access resources on our internal network. However, when I attempt to, I get a resource error:

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Resources/deployments/$CONTAINER_GROUP","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InaccessibleNetworkResource","message":"The client '$CLIENT_ID' with object id '$CLIENT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/providers/read' over scope '/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}]}}

I created the subnet within the desired resource group, so I should have permissions. I can see it in Azure portal.


Solution

  • The error message indicates that the Azure Resource Manager (ARM) client does not have permission to read the resource group. This can happen for a few reasons:

    • The client does not have the necessary permissions on the resource group.
    • The client's credentials have expired.
    • There is a problem with the Azure Active Directory (Azure AD) service.

    Verify below points suggested by MS for DeploymentFailed error message and also verify your details with az account show and upgrade to latest if necessary using az upgrade enter image description here

    check the permissions for the user or role that the client is using to access the resource group. and finally, if required, create a fresh service principal and grant it the necessary permissions on the resource group

    az ad sp create-for-rbac --name neotys-service-principal 
    

    and get the application ID and client secret for the service principal output: enter image description here

    Assign this service principal the Reader role on the resource group using

    az role assignment create --assignee neotys-service-principal --role Reader --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP
    

    and deploy the container groups using

    az container group create --name neotys-controller --image neotys/neoload-controller --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET az container group create --name neotys-loadgenerator --image neotys/neoload-loadgenerator --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET
    

    Once the container groups have been deployed, you should be able to access them from your internal network.

    Reference documents: MS Doc Deployment failed error checks