Unable to provision container group in a particular subnet in Azure
I have 2 container images I would like to deploy (https://hub.docker.com/r/neotys/neoload-controller and https://hub.docker.com/r/neotys/neoload-loadgenerator). I would like to deploy them into an existing subnet so that they can access resources on our internal network. However, when I attempt to, I get a resource error:
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Resources/deployments/$CONTAINER_GROUP","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InaccessibleNetworkResource","message":"The client '$CLIENT_ID' with object id '$CLIENT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/providers/read' over scope '/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}]}}
I created the subnet within the desired resource group, so I should have permissions. I can see it in Azure portal.
The error message indicates that the Azure Resource Manager (ARM) client does not have permission to read the resource group. This can happen for a few reasons:
- The client does not have the necessary permissions on the resource group.
- The client's credentials have expired.
- There is a problem with the Azure Active Directory (Azure AD) service.
Verify below points suggested by MS for DeploymentFailed error message and also verify your details
with az account show and upgrade to latest if necessary using az upgrade
check the permissions for the user or role that the client is using to access the resource group. and finally, if required, create a fresh service principal and grant it the necessary permissions on the resource group
az ad sp create-for-rbac --name neotys-service-principal
and get the application ID and client secret for the service principal
output:
Assign this service principal the Reader role on the resource group using
az role assignment create --assignee neotys-service-principal --role Reader --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP
and deploy the container groups using
az container group create --name neotys-controller --image neotys/neoload-controller --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET az container group create --name neotys-loadgenerator --image neotys/neoload-loadgenerator --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET
Once the container groups have been deployed, you should be able to access them from your internal network.
Reference documents: MS Doc Deployment failed error checks
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Terraform and Azure: Problems with association between NetworkSecurityGroups and Subnets
- connecting Azure DevOps organisation with Azure creates resource groups in Azure
- How to find a driveItem ID given only a document URL?
- Is it possible to scale Azure app services programmatically
- How Does Setting AZCOPY_JOB_PLAN_LOCATION and AZCOPY_LOG_LOCATION Improve Disk Usage?
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Limit users allowed with Entra and Accounts in any organizational account and personal Microsoft accounts
- Can't create support request in Asure, despite correct subscription
- Deploy Container App from Bitbucket to Azure
- How to upload large files to Onedrive using python
- How to query Azure DevOps Work Items using client_id and client_secret