Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WebToolsE2E]Can't delete resource group use command "az group delete --name <your-resource-group-name>" #28931

Open
v-yuwzh opened this issue May 10, 2024 · 2 comments
Open

[WebToolsE2E]Can't delete resource group use command "az group delete --name <your-resource-group-name>" #28931

v-yuwzh opened this issue May 10, 2024 · 2 comments
Assignees
@jiasli @zhoxing-ms
Labels
Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Milestone
Backlog

Comments

@v-yuwzh
Copy link

v-yuwzh commented May 10, 2024
edited

INSTALL STEPS

  1. Clean machine: Win11 x64 23h2 ENU
  2. Install az from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli#install-or-update

REPRO STEPS

  1. Open command prompt window as admin
  2. Run "az login"
  3. Run "az group delete --name rg-susie101" to delete existing resource groups

Related command

az group delete --name rg-susie101

ACTUAL: It show "don't have authorization to delete resource group.

image

(AuthorizationFailed) The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.

Issue script & Debug output

cli.knack.cli: Command arguments: ['group', 'delete', '--name', 'rg-susie101', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000275CB47B880>, <function OutputProducer.on_global_arguments at 0x00000275CB606020>, <function CLIQuery.on_global_arguments at 0x00000275CB633BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'group': ['azure.cli.command_modules.resource']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: resource                  0.207        51       228
cli.azure.cli.core: Total (1)                 0.207        51       228
cli.azure.cli.core: Loaded 51 groups, 228 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : group delete
cli.azure.cli.core: Command table: group delete
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000275CE4D2020>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\v-yuwzh\.azure\commands\2024-05-10.08-19-15.group_delete.3648.log'.
az_command_data_logger: command args: group delete --name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000275CE516480>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000275CE5504A0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000275CE5505E0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000275CB6060C0>, <function CLIQuery.handle_query_parameter at 0x00000275CB633C40>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000275CE550540>]
Are you sure you want to perform this operation? (y/n): y
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\v-yuwzh\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\v-yuwzh\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: a2c1233d-619f-4564-9e88-b144821d9924
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101?api-version=2022-09-01'
cli.azure.cli.core.sdk.policies: Request method: 'DELETE'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'fd564342-0ea5-11ef-a425-002248b853cb'
cli.azure.cli.core.sdk.policies:     'CommandName': 'group delete'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.60.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "DELETE /subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101?api-version=2022-09-01 HTTP/1.1" 403 427
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '427'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTUS2:20240510T081924Z:af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 8CA43F9C40734392B7FBD83A9FFBE997 Ref B: CO6AA3150219053 Ref C: 2024-05-10T08:19:24Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 10 May 2024 08:19:23 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/resource/resources/v2022_09_01/operations/_operations.py", line 11598, in begin_delete
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/resource/resources/v2022_09_01/operations/_operations.py", line 11553, in _delete_initial
azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.

cli.azure.cli.core.azclierror: (AuthorizationFailed) The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
az_command_data_logger: (AuthorizationFailed) The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '[email protected]' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000275CE4D22A0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 9.543 seconds (init: 0.547, invoke: 8.997)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4467 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\v-yuwzh\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

EXPECTED Can delete the resource groups"rg-susie101"

** Environment Summary**

C:\Windows\System32>az --version
azure-cli                         2.60.0

core                              2.60.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.0
azure-mgmt-resource             23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\v-yuwzh\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

C:\Windows\System32>

Additional context

  1. when do the scenarios in Deploy a .NET Aspire app to Azure Container Apps document meet this issue.
    image

  2. Can delete the resource groups by select "Delete resource group" in page
    image
@v-yuwzh v-yuwzh added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label May 10, 2024
@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Hi @v-yuwzh
Find similar issue #28354.
Issue title “az role definition delete” could not delete custom role when user only have permission on the Resource Group
Create time 2024-02-12
Comment number 0

Please confirm if this resolves your issue.

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels May 10, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Azure CLI Team The command of the issue is owned by Azure CLI team label May 10, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented May 10, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Account az login/account labels May 10, 2024
@v-yuwzh v-yuwzh changed the title Can't delete resource group use command "az group delete --name <your-resource-group-name>" [WebToolsE2E]Can't delete resource group use command "az group delete --name <your-resource-group-name>" May 10, 2024
@yonzhan yonzhan added this to the Backlog milestone May 10, 2024
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

@zhoxing-ms zhoxing-ms

Labels
Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@jiasli @zhoxing-ms @v-yuwzh @yonzhan