|Summary:||Azure provision fails on AuthorizationFailed|
|Product:||Red Hat CloudForms Management Engine||Reporter:||Colin Arnott <carnott>|
|Component:||Documentation||Assignee:||Red Hat CloudForms Documentation <cloudforms-docs>|
|Status:||CLOSED WONTFIX||QA Contact:||Red Hat CloudForms Documentation <cloudforms-docs>|
|Version:||5.6.0||CC:||adahms, benglish, dberger, gblomqui, hhudgeon, jhardy, obarenbo, simaishi|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-10-23 23:29:26 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Colin Arnott 2016-08-04 11:25:59 UTC
Description of problem: I have added new Azure Cloud Provider to Cloudforms and VM provisioning finishes with AuthorizationFailed. The account that I use for this provider has Azure rights set this way: The account has rights only to 2 existing resource groups. dev-infra - Admin rights networks - subnet-join rights I have tested the template and account credentials via powershell and Visual Studio and was able to provision a VM. I had a problem with Authorization in Visual Studio as well because the powershell script in Visual Studio includes this line: # Create or update the resource group using the specified template file and template parameters file New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force -ErrorAction Stop My security team will not let me assign different rights for cfme account in production Azure subscription. Version-Release number of selected component (if applicable): cfme-126.96.36.199 How reproducible: requires this Azure account Steps to Reproduce: 1. configure Azure 2. add Azure as a provider 3. attempt a provision Actual results: VM fails: AuthorizationFailed (see pending logs) Expected results: provisioned VM Additional info: I believe this to be a permissions issue, however as security has my hands tied, is there anything that can be done, as this can be made to work in powershell? (loglines pending)
Comment 3 Daniel Berger 2016-08-08 15:49:41 UTC
You mention "dev-infra". Is "Dev-Infr-Puppet-RG" the full name, and the correct resource group?
Comment 4 Daniel Berger 2016-08-08 16:54:11 UTC
Can you please provide any additional details, such as: - The Powershell command that worked. - The name and resource group of the image being cloned. - The name and resource group of selected networking resources that you attached.
Comment 10 Jeff Teehan 2016-08-18 21:57:55 UTC
You have to add the AD account as contributor as you pointed out. That's the highest setting without getting into billing and credit card stuff and 'User' just doesn't seem to work. I still strongly encourage users to add the AD account to the subscription, per my video, so that new Resource Groups don't fail. But, I totally (CA thing) get it if that's not possible. Dan, this should fail when the Resource Group doesn't add the AD App as a contributor.
Comment 11 Daniel Berger 2016-08-30 14:28:51 UTC
Issue was solved by updating permissions within the Azure portal.
Comment 12 Satoe Imaishi 2016-08-30 21:37:16 UTC
There was no code change needed for this issue. I'm changing to Documentation, so someone can review our guide and make sure the steps/requirements are properly documented. Please close/not bug if there is nothing to be done there.
Comment 15 Andrew Dahms 2018-10-23 23:29:26 UTC
Thank you for raising this bug. We have evaluated this request, and while we recognize that it is a valid request for the documentation, we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Andrew Dahms.