https://prefect.io logo
Join SlackCommunities
Powered by
<@ULVA73B9P> I creared a aci work pool but when ru...
# ask-marvin
i
@Marvin I creared a aci work pool but when running the flow i have got this error. How to fix it?
Copy code
azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client '5b691102-d05d-4a6e-a0c0-c0d326e2164a' with object id '5b691102-d05d-4a6e-a0c0-c0d326e2164a' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/delete' over scope '/subscriptions/ee2685ef-33b1-4fbd-8588-432444e3a821/resourceGroups/identity-prefect/providers/Microsoft.ContainerInstance/containerGroups/healthcheck-a7cffced-2a44-40cd-a800-78bc399d2e52' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
m
The error message you received is indicating an authorization issue when attempting to delete a container group in Azure Container Instances (ACI). This suggests that the Azure Active Directory (AAD) application or service principal you're using doesn't have sufficient permissions to perform the delete operation. To resolve this, you need to ensure that the AAD application has the correct role assignments with the necessary permissions. Here are the steps to fix this: 1. Navigate to the Azure Portal: - Go to Azure Portal. 2. Find your Resource Group: - Locate the resource group mentioned in the error message (
/subscriptions/ee2685ef-33b1-4fbd-8588-432444e3a821/resourceGroups/identity-prefect
). 3. Access Control (IAM): - In the left-hand side menu, choose "Access control (IAM)". - Click on "+ Add" then "Add role assignment". 4. Assign the Correct Role: - Choose a role that has delete permissions for container groups (e.g., "Contributor" or a custom role with the specific required permissions like 
Microsoft.ContainerInstance/containerGroups/delete
). - Click "Next" and then "+ Select members". - Type the name of the app registration (AAD app) or service principal and add it. - Click "Review + Assign". 5. Refresh Credentials: - If you have recently updated these permissions, ensure that you refresh your credentials or give it a few minutes for the changes to take effect. For more detailed steps on setting up Azure for Prefect, you can refer to the Prefect documentation: - Prefect ACI Integration If the problem persists after ensuring the correct permissions, please let me know!
It seems like the issue is related to authorization permissions for your Azure Container Instances (ACI). Here are steps to resolve the authorization error: 1. Assign the Appropriate Role to the Identity: Ensure that the identity used for running the ACI has the required permissions. This typically includes the "Container Instances Contributor" role, which allows creation, deletion, and monitoring of container instances. You can create this role with the following command:
Copy code
sh
    az role definition create --role-definition '{
      "Name": "Container Instances Contributor",
      "IsCustom": true,
      "Description": "Can create, delete, and monitor container instances.",
      "Actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.ContainerInstance/containerGroups/*"
      ],
      "NotActions": [],
      "AssignableScopes": [
        "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"
      ]
    }'
2. Assign the Role to the Identity: Once the role is created, assign it to the user-managed identity:
Copy code
sh
    az role assignment create \
      --assignee <identity-id> \
      --role "Container Instances Contributor" \
      --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>
3. Ensure Credentials Are Up-To-Date: If access was granted recently, you might need to refresh the Azure credentials. Sign out and sign in again or use the 
az account clear
command to clear cached credentials. 4. Update Your ACI Work Pool Configuration: Navigate to the Edit page of your ACI work pool and ensure the identity is correctly referenced. The identity should be added in the following format:
Copy code
json
    ["/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>"]
For more detailed instructions, you can refer to the Prefect ACI documentation: - Prefect 2.x: Prefect Azure ACI Worker - Prefect 3.x: Prefect Azure ACI Worker If you continue to experience issues, please ensure all the steps are followed correctly and that the identity has been assigned the appropriate roles. Let me know if there's anything else I can assist you with!
6 Views
Open in Slack
PreviousNext
Powered by