The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

For an enterprise customer, I hat do develop a solution, that is build in the Cloud (Microsoft’s Cloud Azure). In that project I had the following setup:

For Build & Release, VSTS (Visual Studio Team Services) is used. For deploying bits to Azure I built up a release, that should setup a basic architecture in Azure.
For accessing Azure from VSTS, an IT responsible of that company, created a Service Principal (SP), that can access Azure resources and added that guy as VSTS Endpoint Service.

Now, one of those architecture components is Service Fabric. After creating the Release definition and the scripts in Azure CLI 2.0 I tried to get things working. But unfortunately, the release stopped with following error message:

az sf cluster create --resource-group ******* …
"error": {
   "code": "MissingSubscriptionRegistration",
   "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions.",
   "details": [
     {
       "code": "MissingSubscriptionRegistration",
       "target": "Microsoft.ServiceFabric",
       "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions."
     }
   ]
 }

… ok, maybe I have to register the namespace manually (usually not, but how really knows 😉 ), so I used the following command, before creating service fabric cluster:

az provider register --namespace Microsoft.ServiceFabric –wait

and this led to following error:

The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Hm…, was not, what I hoped to get, but expected K ! Are there any account problems? Using a foreign subscription with limited access could be the cause! So I did some investigation on how the SP was created, set up and assigned to VSTS.

And, yeah, this was the right track. It became apparent that the SP was created only in AAD with sufficient rights, but it was not assigned as subscription-user, with contribute rights. After proper configuration, everything worked like a charm.

Hope this is also a solution for you?!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.