You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/linux/image-builder-troubleshoot.md
+37Lines changed: 37 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -173,6 +173,43 @@ The file name or location is incorrect, or the location isn't reachable.
173
173
174
174
Ensure that the file is reachable. Verify that the name and location are correct.
175
175
176
+
### Authorization error creating disk
177
+
178
+
The Azure Image Builder build fails with an authorization error that looks like the following:
179
+
180
+
#### Error
181
+
182
+
```text
183
+
Attempting to deploy created Image template in Azure fails with an 'The client '6df325020-fe22-4e39-bd69-10873965ac04' with object id '6df325020-fe22-4e39-bd69-10873965ac04' does not have authorization to perform action 'Microsoft.Compute/disks/write' over scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Compute/disks/proxyVmDiskWin_<timestamp>' or the scope is invalid. If access was recently granted, please refresh your credentials.'
184
+
```
185
+
#### Cause
186
+
187
+
This error is caused when trying to specify a pre-existing resource group and VNet to the Azure Image Builder service with a Windows source image.
188
+
189
+
#### Solution
190
+
191
+
You will need to assign the contributor role to the resource group for the service principal corresponding to Azure Image Builder's first party app by using the CLI command or portal instructions below.
192
+
193
+
First, validate that the service principal is associated with Azure Image Builder's first party app by using the following CLI command:
194
+
```azurecli-interactive
195
+
az ad sp show --id {servicePrincipalName, or objectId}
196
+
```
197
+
198
+
Then, to implement this solution using CLI, use the following command:
199
+
```azurecli-interactive
200
+
az role assignment create -g {ResourceGroupName} --assignee {AibrpSpOid} --role Contributor
201
+
```
202
+
203
+
To implement this solution in portal, follow the instructions in this documentation: [Assign Azure roles using the Azure portal - Azure RBAC](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current).
204
+
205
+
For [Step 1: Identify the needed scope](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current#step-1-identify-the-needed-scope): The needed scope is your resource group.
206
+
207
+
For [Step 3: Select the appropriate role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current#step-3-select-the-appropriate-role): The role is Contributor.
208
+
209
+
For [Step 4: Select who needs access](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current#step-4-select-who-needs-access): Select member “Azure Virtual Machine Image Builder”
210
+
211
+
Then proceed to [Step 6: Assign role](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current#step-6-assign-role) to assign the role.
212
+
176
213
## Troubleshoot build failures
177
214
178
215
For image build failures, get the error from the `lastrunstatus`, and then review the details in the *customization.log* file.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments