Azure-docs: This example no longer works - AuthorizationFailed.

@rudolfdobias Thanks for the question! We are investigating and will update you shortly.

@rudolfdobias I ran through the example but was not able to repro the issue you are seeing.

I would suggest trying to run through the doc again and seeing if you are still having issues. Another problem could be with your AAD. Depending on your permission levels you might not have the correct permissions needed to complete the tutorial. What is your role in your AD?

I have come across the same issue while deploying the AKS cluster using ARM template.
Is it important which account tries to run ARM template? What are the permissions in AD required to deploy AKS cluster?

@rudolfdobias I ran through the example but was not able to repro the issue you are seeing.

I would suggest trying to run through the doc again and seeing if you are still having issues. Another problem could be with your AAD. Depending on your permission levels you might not have the correct permissions needed to complete the tutorial. What is your role in your AD?

My role is Global Administrator.
I tried everything ten times, even with your default values. It always waits for ~5 minutes and then fails.

After couple of hours I tried to assign Owner role over my whole subscription to AzureContainerService (represented as objectId "yyy" in posted error) and then it worked. The service clearly did not have rights to contribute to the MC_*resource_group which is created by the aks deployment.
I dont know why it did not work but I'm pretty sure I didnt manipulate with roles of AzureContainerService before.

There should be some rights-checking preflight in this deployment - or - some redundant role assignment step for this case. It is really frustrating when even the copied tutorial does not work.

@rudolfdobias the only thing I can really think of is if the command in the doc did not work as expected

az role assignment create --assignee --scope $VNET_ID --role Contributor

I have ran through this doc a couple of times now and don't get an error. That being said, I have done other AKS related items so it's possible my permissions were already configured correctly.

I am also following the issue linked by @cwebbtw

If you like, I can enable you for a support request to have this looked into further. You can reach me at [email protected] and simply provide me with your Azure SubscriptoinID and link to this issue.

besides that, I cannot repro your issue and don't see any direct issues with this specific doc. I will continue to follow the other issue open on the AKS repo directly for any updates.

@MicahMcKittrick-MSFT I have exactly the same issue. I use Terraform for AKS deployment and during terraform apply I get following error:

Code="CreateRoleAssignmentError" Message="RoleAssignmentReconciler retry timed out: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client 'xxx' with object id 'yyy does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/zzz/resourceGroups/MC_mas-azure-20190724_k8s_westeurope/providers/Microsoft.Authorization/roleAssignments/qqq' or the scope is invalid. If access was recently granted, please refresh your credentials.\""