Insufficient IAM Role Or Permissions

Insufficient IAM Role Or PermissionError

Code: IAM-01-01

Description

NetworkBrain does require a minimum IAM role and permissions to access the specific resources to retrieve basic data. If any required permission is missing, you will see a discovery failure or data retrieve failure.

Troubleshoot

1. Check the Front Server python debug logs whose timestamp covers the issue happened before. Search for "does not have authorization" or "authorization".
   

2. If you find error messages contaning "does not have authorization", address the missing permission and add it in IAM custom role from Azure Portal. For example, you can find the missing permission “Microsoft.Network/virtualNetworks/subnets/read” from the log above. .
3. If you cannot find the root cause and fix the issue, collect the data and feedback for further troubleshooting.
4. Collect Data

• Python Error & Debug Logs: Copy the python error logs from the worker server and front server. Make sure the timestamp of the log is within the issue happened. (Enable the python log print before collecting log data.)
• API Raw Data: Only collect it upon the Dev Team’s request and the customer’s approval. For more information, contact NetBrain support.
  

Sample Case

Case:
*Error messages in Worker python logs file:*
{"error":{"code":"AuthorizationFailed","message":"The client \'9741325e-126c-4fbd-9b81-93ed862b780d\' with object id \'9741325e-126c-4fbd-9b81-93ed862b780d\'does not have authorization to perform action \'Microsoft.Network/virtualNetworks/subnets/read{color}' over scope \'/subscriptions/073e6f45-d1ae-40fe-93af-88231d2377bd/resourceGroups/HC/providers/Microsoft.Network/virtualNetworks/HC-vnet/subnets/HC-App_subnet\' or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

Root cause: Permission "Microsoft.Network/virtualNetworks/subnets/read" is missing.

Solution: Add the required permission in the IAM role within the customer’s Azure Portal.