I have 2 container images I would like to deploy (https://hub.docker.com/r/neotys/neoload-controller and https://hub.docker.com/r/neotys/neoload-loadgenerator). I would like to deploy them into an existing subnet so that they can access resources on our internal network. However, when I attempt to, I get a resource error:
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Resources/deployments/$CONTAINER_GROUP","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InaccessibleNetworkResource","message":"The client '$CLIENT_ID' with object id '$CLIENT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/providers/read' over scope '/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}]}}
I created the subnet within the desired resource group, so I should have permissions. I can see it in Azure portal.
The error message indicates that the Azure Resource Manager (ARM) client does not have permission to read the resource group. This can happen for a few reasons:
Verify below points suggested by MS for DeploymentFailed error message and also verify your details
with az account show
and upgrade to latest if necessary using az upgrade
check the permissions for the user or role that the client is using to access the resource group. and finally, if required, create a fresh service principal and grant it the necessary permissions on the resource group
az ad sp create-for-rbac --name neotys-service-principal
and get the application ID and client secret for the service principal
output:
Assign this service principal the Reader role on the resource group using
az role assignment create --assignee neotys-service-principal --role Reader --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP
and deploy the container groups using
az container group create --name neotys-controller --image neotys/neoload-controller --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET az container group create --name neotys-loadgenerator --image neotys/neoload-loadgenerator --resource-group $RESOURCE_GROUP --subnet $SUBNET --service-principal-id $APPLICATION_ID --client-secret $CLIENT_SECRET
Once the container groups have been deployed, you should be able to access them from your internal network.
Reference documents: MS Doc Deployment failed error checks