The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Nov 12, 2017 ALM
[Reading Time: 2 minutes]

For an enterprise customer, I hat do develop a solution, that is build in the Cloud (Microsoft’s Cloud Azure). In that project I had the following setup:

For Build & Release, VSTS (Visual Studio Team Services) is used. For deploying bits to Azure I built up a release, that should setup a basic architecture in Azure.
For accessing Azure from VSTS, an IT responsible of that company, created a Service Principal (SP), that can access Azure resources and added that guy as VSTS Endpoint Service.

Now, one of those architecture components is Service Fabric. After creating the Release definition and the scripts in Azure CLI 2.0 I tried to get things working. But unfortunately, the release stopped with following error message:

az sf cluster create --resource-group ******* …
"error": {
   "code": "MissingSubscriptionRegistration",
   "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions.",
   "details": [
     {
       "code": "MissingSubscriptionRegistration",
       "target": "Microsoft.ServiceFabric",
       "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions."
     }
   ]
 }

… ok, maybe I have to register the namespace manually (usually not, but how really knows 😉 ), so I used the following command, before creating service fabric cluster:

az provider register --namespace Microsoft.ServiceFabric –wait

and this led to following error:

The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Hm…, was not, what I hoped to get, but expected K ! Are there any account problems? Using a foreign subscription with limited access could be the cause! So I did some investigation on how the SP was created, set up and assigned to VSTS.

And, yeah, this was the right track. It became apparent that the SP was created only in AAD with sufficient rights, but it was not assigned as subscription-user, with contribute rights. After proper configuration, everything worked like a charm.

Hope this is also a solution for you?!

By Thomas

I work as a director at CGI in Stuttgart. Responsible for the topic of innovation in the cloud and DevOps, I drive various topics like IoT, AI and Cloud with teams. The agile transformation of German IT companies or ministries plays a major role here, as does the modernization of applications using smart services. For almost two decades I have been supporting as IT architect, developer and coach. I am also very active in the community. As host of Azure Meetup Konstnaz & Region, as well as co-host of Azure Meetup Stuttgart and as co-admin of GitHub Meetup Stuttgart, I would like to share knowledge and experience with like-minded people.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.