8

While deploying Azure Data Factory's ARM template through service principal, I am getting below error:

[error]Failed to check the resource group status. Error: {"statusCode":403}.

Is it a service connection Access related issue? How to check/resolve this?

Aniket Karajgikar
  • 245
  • 2
  • 13
  • https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops – Jagrati Modi Aug 03 '21 at 06:35

1 Answers1

7

The error means the service principal used in your Azure DevOps service connection does not have enough permission to perform the action.

To solve the issue, you need to add an Azure RBAC role for the service principal, navigate to the Project Settings in Azure DevOps -> Service connections -> find the service connection you used(whose type is Azure Resource Manager) and select it -> select Manage service connection roles.

enter image description here

Then it will open a page for the Azure subscription in Azure portal, navigate to the Access control (IAM) -> add your service principal as a Contributor role as below.

Note: To assign the role for your service principal, your user account logged in Azure portal needs the RBAC role e.g. Owner, User Access Administrator.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Although I agree that @Joy Wang's solution will work, be aware of 2 things: 1 - This solution is an overkill, as you don't need to assign the Service Principal to the whole subscription, you can do this at the resource group level instead (just do exactly what Joy is telling but at the Resource Group level instead of at the Subscription Level). 2 - The other important thing to say is that this error can also happen if in the pipeline you didn't name the resource group correctly or if you didn't add the right subscription ID. – Luis Gouveia Mar 01 '23 at 17:38