I created my github action from the Azure portal, in the container app (capp) "Continuous deployment" (CD) section.
The first capp I did this with worked fine, but the second one generates the error.
One important detail, I put the second capp into the same container environment as the first (a very normal thing to do).
This error should not occur any more as Contributor access is given on the resource group now, not on the container app and environment.
This is the error:
The client 'guid' with object id 'guid' has permission to perform action 'Microsoft.App/containerApps/write' on scope '/subscriptions/guid/resourceGroups/MyRG/providers/Microsoft.App/containerApps/capp-02'; however, it does not have permission to perform action(s) 'Microsoft.App/managedEnvironments/join/action' on the linked scope(s) '/subscriptions/guid/resourceGroups/MyRG/providers/Microsoft.App/managedEnvironments/capp-environment' (respectively) or the linked scope(s) are invalid.
It's actually a really clear error. The "client" (or in this case, Service Principal) does not have permission to do stuff on the capp environment.
Why?
When we setup CD and the Github action was created, a part of that process is the creation of a service principal (aka client).
The client is what allows the action to securely update our resource(s) in Azure, you can find the client in Microsoft Entra ID -> App registrations. You can also see the permissions granted to the client on the capp and capp environment, under "Access Control (IAM)".
When we create the first CD, the client is granted permission (Contributor) on both the capp and the capp environment. But when we create the second CD on the second capp, a second client is created but this second client is only granted access to the capp, not the capp environment! I don't know why, I guess it's a bug.
The solution
To fix the error, just go to the capp enviroment -> Access Control (IAM), then "Add role assignment" and grant the client Contributor access.
Top comments (0)