The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Nov 12, 2017 ALM
[Reading Time: 2 minutes]

For an enterprise customer, I hat do develop a solution, that is build in the Cloud (Microsoft’s Cloud Azure). In that project I had the following setup:

For Build & Release, VSTS (Visual Studio Team Services) is used. For deploying bits to Azure I built up a release, that should setup a basic architecture in Azure.
For accessing Azure from VSTS, an IT responsible of that company, created a Service Principal (SP), that can access Azure resources and added that guy as VSTS Endpoint Service.

Now, one of those architecture components is Service Fabric. After creating the Release definition and the scripts in Azure CLI 2.0 I tried to get things working. But unfortunately, the release stopped with following error message:

az sf cluster create --resource-group ******* …
"error": {
   "code": "MissingSubscriptionRegistration",
   "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions.",
   "details": [
     {
       "code": "MissingSubscriptionRegistration",
       "target": "Microsoft.ServiceFabric",
       "message": "The subscription is not registered to use namespace 'Microsoft.ServiceFabric'. See https://aka.ms/rps-not-found for how to register subscriptions."
     }
   ]
 }

… ok, maybe I have to register the namespace manually (usually not, but how really knows 😉 ), so I used the following command, before creating service fabric cluster:

az provider register --namespace Microsoft.ServiceFabric –wait

and this led to following error:

The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Hm…, was not, what I hoped to get, but expected K ! Are there any account problems? Using a foreign subscription with limited access could be the cause! So I did some investigation on how the SP was created, set up and assigned to VSTS.

And, yeah, this was the right track. It became apparent that the SP was created only in AAD with sufficient rights, but it was not assigned as subscription-user, with contribute rights. After proper configuration, everything worked like a charm.

Hope this is also a solution for you?!

By Thomas

As Chief Technology Officer at Xpirit Germany. I am responsible for driving productivity for our customers by a full stack of dev and technology in modern times. But I not only care for technologies from Microsofts stack like Azure, AI, and IoT, but also for delivering quality and expertise with DevOps

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.