Required permissions to create an ARO cluster
blanquicet opened this issue · 1 comments
Hello,
I would like to test our gadgets on an ARO environment but I am getting a permissions error when creating the cluster.
I followed this tutorial and all the preliminary commands finished correctly but the actual creation of the cluster fails as following:
$ az aro create --resource-group $RESOURCEGROUP --name $CLUSTER --vnet $VNET --master-subnet $MASTSUB --worker-subnet $WORKSUB --pull-secret @pull-secret
The client 'josebl@microsoft.com' with object id '<my-user-object-id>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<my-subscription-id>/resourceGroups/arorg/providers/Microsoft.Network/virtualNetworks/arovnet/providers/Microsoft.Authorization/roleAssignments/ae6bcac9-786a-4b7d-b979-8b409a80be41' or the scope is invalid. If access was recently granted, please refresh your credentials.I checked my user on the portal and I noticed I have the Contributor role on the subscription scope. However, that role does not have permissions for the Microsoft.Authorization/*/Write actions, which would explain the error message.
Based on the documentation, I think I am missing either the User Access Administrator role or, in alternative, the Owner role. Both directly on the subscription or resource group scope. Is it correct?
Thanks in advance for your support!
I resolved my issue when I got the User Access Administrator role.
Thanks!