Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1364043

Summary: Azure provision fails on AuthorizationFailed
Product: Red Hat CloudForms Management Engine Reporter: Colin Arnott <carnott>
Component: DocumentationAssignee: Red Hat CloudForms Documentation <cloudforms-docs>
Status: CLOSED WONTFIX QA Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Severity: medium Docs Contact:
Priority: high    
Version: 5.6.0CC: adahms, benglish, dberger, gblomqui, hhudgeon, jhardy, obarenbo, simaishi
Target Milestone: GA   
Target Release: 5.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: azure:provision
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-23 23:29:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Colin Arnott 2016-08-04 11:25:59 UTC
Description of problem:
I have added new Azure Cloud Provider to Cloudforms and VM provisioning finishes with AuthorizationFailed. The account that I use for this provider has Azure rights set this way:

The account has rights only to 2 existing resource groups. 
dev-infra  - Admin rights
networks   -  subnet-join rights

I have tested the template and account credentials via powershell and Visual Studio and was able to provision a VM.
I had a problem with Authorization in Visual Studio as well because the powershell script in Visual Studio includes this line:

# Create or update the resource group using the specified template file and template parameters file
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force -ErrorAction Stop 

My security team will not let me assign different rights for cfme account in production Azure subscription.

Version-Release number of selected component (if applicable):

How reproducible:
requires this Azure account

Steps to Reproduce:
1. configure Azure
2. add Azure as a provider
3. attempt a provision

Actual results:
VM fails: AuthorizationFailed (see pending logs)

Expected results:
provisioned VM

Additional info:
I believe this to be a permissions issue, however as security has my hands tied, is there anything that can be done, as this can be made to work in powershell?

(loglines pending)

Comment 3 Daniel Berger 2016-08-08 15:49:41 UTC
You mention "dev-infra". Is "Dev-Infr-Puppet-RG" the full name, and the correct resource group?

Comment 4 Daniel Berger 2016-08-08 16:54:11 UTC
Can you please provide any additional details, such as:

- The Powershell command that worked.
- The name and resource group of the image being cloned.
- The name and resource group of selected networking resources that you attached.

Comment 10 Jeff Teehan 2016-08-18 21:57:55 UTC
You have to add the AD account as contributor as you pointed out.  That's the highest setting without getting into billing and credit card stuff and 'User' just doesn't seem to work.  I still strongly encourage users to add the AD account to the subscription, per my video, so that new Resource Groups don't fail.  But, I totally (CA thing) get it if that's not possible.

Dan, this should fail when the Resource Group doesn't add the AD App as a contributor.

Comment 11 Daniel Berger 2016-08-30 14:28:51 UTC
Issue was solved by updating permissions within the Azure portal.

Comment 12 Satoe Imaishi 2016-08-30 21:37:16 UTC
There was no code change needed for this issue.  I'm changing to Documentation, so someone can review our guide and make sure the steps/requirements are properly documented.  Please close/not bug if there is nothing to be done there.

Comment 15 Andrew Dahms 2018-10-23 23:29:26 UTC
Thank you for raising this bug.

We have evaluated this request, and while we recognize that it is a valid request for the documentation, we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. 

If you have any concerns about this, please feel free to contact Andrew Dahms.