I created a new Azure AI Services resource in a Resource Group. I have Contributor access in the Resource Group that contains this Azure AI Service resource.
My problem is I can't list keys with this az cli command. I'm already logged in with az login.
az cognitiveservices account keys list --name alper-azure-ai-service --resource-group alper-playground
I'm getting this error message: (AuthorizationFailed) The client 'alper.silistre@{myCompanyEmail}' with object id '{myObjectId}' does not have authorization to perform action 'Microsoft.CognitiveServices/accounts/listKeys/action' over scope '/subscriptions/{subscriptionObjectId}/resourceGroups/alper-playground/providers/Microsoft.CognitiveServices/accounts/alper-azure-ai-service' or the scope is invalid. If access was recently granted, please refresh your credentials.
I can access Keys and Endpoint section from Azure Portal:
We can also see in the IAM that I am Contributor from RG (inherited):
Now, it's clear that Contributor already has 'Microsoft.CognitiveServices/accounts/listKeys/action':
So, I'm not sure what I'm missing here, since I should be able to list keys with az cli command. I definitely have Contributor access inherited from the Resource Group.
For reference, I'm following this Microsoft Learn exercise: https://microsoftlearning.github.io/mslearn-ai-services/Instructions/Exercises/02-ai-services-security.html
I found the problem here by trying different az cli commands under az cognitiveservices. For example, when I run this az cognitiveservices account show --name alper-azure-ai-service --resource-group alper-playground'
it gives me this error:
(ResourceGroupNotFound) Resource group 'alper-playground' could not be found.
Code: ResourceGroupNotFound
Message: Resource group 'alper-playground' could not be found.
This gave me the idea to specifically put --subscription into my original command. So when I run the original cli command with this:
az cognitiveservices account keys list --subscription {mySubscriptionName} --name alper-azure-ai-service --resource-group alper-playground
it worked.
The interesting thing here is that while az cognitiveservices account show
is giving ResourceGroupNotFound error, az cognitiveservices account keys list
gives AuthorizationFailed error, which in my opinion is confusing.