azureazure-cliazure-rbacazure-ai

The client with object id does not have authorization to perform action 'Microsoft.CognitiveServices/accounts/listKeys/action' over scope


I created a new Azure AI Services resource in a Resource Group. I have Contributor access in the Resource Group that contains this Azure AI Service resource.

My problem is I can't list keys with this az cli command. I'm already logged in with az login.

az cognitiveservices account keys list --name alper-azure-ai-service --resource-group alper-playground

I'm getting this error message: (AuthorizationFailed) The client 'alper.silistre@{myCompanyEmail}' with object id '{myObjectId}' does not have authorization to perform action 'Microsoft.CognitiveServices/accounts/listKeys/action' over scope '/subscriptions/{subscriptionObjectId}/resourceGroups/alper-playground/providers/Microsoft.CognitiveServices/accounts/alper-azure-ai-service' or the scope is invalid. If access was recently granted, please refresh your credentials.

I can access Keys and Endpoint section from Azure Portal:

enter image description here

We can also see in the IAM that I am Contributor from RG (inherited):

enter image description here

Now, it's clear that Contributor already has 'Microsoft.CognitiveServices/accounts/listKeys/action':

enter image description here

So, I'm not sure what I'm missing here, since I should be able to list keys with az cli command. I definitely have Contributor access inherited from the Resource Group.

For reference, I'm following this Microsoft Learn exercise: https://microsoftlearning.github.io/mslearn-ai-services/Instructions/Exercises/02-ai-services-security.html


Solution

  • I found the problem here by trying different az cli commands under az cognitiveservices. For example, when I run this az cognitiveservices account show --name alper-azure-ai-service --resource-group alper-playground' it gives me this error:

    (ResourceGroupNotFound) Resource group 'alper-playground' could not be found.
    Code: ResourceGroupNotFound
    Message: Resource group 'alper-playground' could not be found.
    

    This gave me the idea to specifically put --subscription into my original command. So when I run the original cli command with this: az cognitiveservices account keys list --subscription {mySubscriptionName} --name alper-azure-ai-service --resource-group alper-playground it worked.

    The interesting thing here is that while az cognitiveservices account show is giving ResourceGroupNotFound error, az cognitiveservices account keys list gives AuthorizationFailed error, which in my opinion is confusing.