update ACI deployment prereqs to add requirement for role on the subscription#1595
Merged
willtsai merged 2 commits intoradius-project:v0.53from Nov 18, 2025
Merged
Conversation
…cription Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com>
sk593
approved these changes
Nov 18, 2025
kachawla
reviewed
Nov 18, 2025
| The [Bicep extension]({{< ref "installation#step-2-install-the-vs-code-extension" >}}) for VS Code is recommended for Bicep language support | ||
| - Radius [installed]({{< ref "/guides/operations/kubernetes/kubernetes-install" >}}) on a [supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-kubernetes-clusters" >}}) | ||
| - An Azure provider configured and registered with your Radius control plane, either through [Service Principal](https://docs.radapp.io/guides/operations/providers/azure-provider/howto-azure-provider-sp/) or [Workload Identity](https://docs.radapp.io/guides/operations/providers/azure-provider/howto-azure-provider-wi/) that have been assigned to the `Contributor` and `Azure Container Instances Contributor` roles on the subscription or resource group where the ACI containers will be deployed | ||
| - An Azure provider configured and registered with your Radius control plane, either through [Service Principal](https://docs.radapp.io/guides/operations/providers/azure-provider/howto-azure-provider-sp/) or [Workload Identity](https://docs.radapp.io/guides/operations/providers/azure-provider/howto-azure-provider-wi/) that have been assigned to the `Reader` role on the subscription and the `Contributor` role on the resource group where the ACI containers will be deployed |
Member
There was a problem hiding this comment.
Just curious - why are the subscription level read permissions needed?
Contributor
Author
There was a problem hiding this comment.
There is an API call in the set of NGroups operations that requires the subscription read permissions. Without those, Radius deployment will report a failure despite the actual deployment being successful:
{
"code": "Internal",
"message": "GET https://management.azure.com/subscriptions/66d1209e-1382-45d3-99bb-650e6bf63fc0/providers/Microsoft.ContainerInstance/locations/WestUS3/nGroupsOperations/08b7511d-65a2-43f0-ab77-2b2cabcd7da2\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 Forbidden\nERROR CODE: AuthorizationFailed\n--------------------------------------------------------------------------------\n{\n \"error\": {\n \"code\": \"AuthorizationFailed\",\n \"message\": \"The client '90b61134-c268-4f0c-bdd1-0a3b42ee915c' with object id 'e5792ec8-3a2b-414c-9797-7f6132ebdcde' does not have authorization to perform action 'Microsoft.ContainerInstance/locations/nGroupsOperations/read' over scope '/subscriptions/66d1209e-1382-45d3-99bb-650e6bf63fc0/providers/Microsoft.ContainerInstance/locations/WestUS3/nGroupsOperations/08b7511d-65a2-43f0-ab77-2b2cabcd7da2' or the scope is invalid. If access was recently granted, please refresh your credentials.\"\n }\n}\n--------------------------------------------------------------------------------\n"
}
kachawla
approved these changes
Nov 18, 2025
willtsai
added a commit
that referenced
this pull request
Nov 18, 2025
* Update docs for v0.53.0 * update ACI deployment prereqs to add requirement for role on the subscription (#1595) * update ACI deployment prereqs to add requirement for role on the subscription Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> * minor fix Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> --------- Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> --------- Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> Signed-off-by: Radius CI Bot <radiuscoreteam@service.microsoft.com> Co-authored-by: Will <28876888+willtsai@users.noreply.github.com>
ytimocin
added a commit
that referenced
this pull request
Dec 5, 2025
* Update docs for v0.53.0 * update ACI deployment prereqs to add requirement for role on the subscription (#1595) * update ACI deployment prereqs to add requirement for role on the subscription Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> * minor fix Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> --------- Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> * Down-Merge for SHA fix in actions (#1634) * ci(workflows): pin actions to full sha (#1598) * ci(workflows): pin actions to full sha Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * ci(dependabot): add configuration for GitHub Actions updates Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * ci(workflows): ensure deployment skips when secrets are missing Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * fix(workflows): correct syntax for Azure DevOps token retrieval step Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --------- Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * fix: broken links (#1607) Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * ci(workflows): enhance permissions for jobs (#1627) Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --------- Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * ci(deps): bump the all group with 5 updates (#1635) Bumps the all group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/stale](https://github.com/actions/stale) | `10.1.0` | `10.1.1` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.0` | `6.0.1` | | [Azure/static-web-apps-deploy](https://github.com/azure/static-web-apps-deploy) | `4d27395796ac319302594769cfe812bd207490b1` | `1a947af9992250f3bc2e68ad0754c0b0c11566c9` | | [rojopolis/spellcheck-github-actions](https://github.com/rojopolis/spellcheck-github-actions) | `0.54.0` | `0.55.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.0.0` | `6.1.0` | Updates `actions/stale` from 10.1.0 to 10.1.1 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@5f858e3...9971854) Updates `actions/checkout` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) Updates `Azure/static-web-apps-deploy` from 4d27395796ac319302594769cfe812bd207490b1 to 1a947af9992250f3bc2e68ad0754c0b0c11566c9 - [Release notes](https://github.com/azure/static-web-apps-deploy/releases) - [Commits](Azure/static-web-apps-deploy@4d27395...1a947af) Updates `rojopolis/spellcheck-github-actions` from 0.54.0 to 0.55.0 - [Release notes](https://github.com/rojopolis/spellcheck-github-actions/releases) - [Changelog](https://github.com/rojopolis/spellcheck-github-actions/blob/master/CHANGELOG.md) - [Commits](rojopolis/spellcheck-github-actions@6f2326b...16d0338) Updates `actions/setup-node` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@2028fbc...395ad32) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: Azure/static-web-apps-deploy dependency-version: 1a947af9992250f3bc2e68ad0754c0b0c11566c9 dependency-type: direct:production dependency-group: all - dependency-name: rojopolis/spellcheck-github-actions dependency-version: 0.55.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/setup-node dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Revert "ci(deps): bump the all group with 5 updates (#1635)" (#1641) This reverts commit 96761da. Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> * ci(dependabot): specify target branch (#1640) (#1642) Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> --------- Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Radius CI Bot <radiuscoreteam@service.microsoft.com> Co-authored-by: Will <28876888+willtsai@users.noreply.github.com> Co-authored-by: Yetkin Timocin <ytimocin@microsoft.com> Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
RadoslavGatev
pushed a commit
to RadoslavGatev/docs-1
that referenced
this pull request
Dec 16, 2025
…cription (radius-project#1595) * update ACI deployment prereqs to add requirement for role on the subscription Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> * minor fix Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> --------- Signed-off-by: Will Tsai <28876888+willtsai@users.noreply.github.com> Signed-off-by: Radoslav Gatev <RadoslavGatev@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thank you for helping make the Radius documentation better!
Please follow this checklist before submitting:
In addition, please fill out the following to help reviewers understand this pull request:
Description
This pull request updates the documentation for configuring Azure provider permissions when deploying Azure Container Instances (ACI) using Radius. The change clarifies the required roles for the Azure provider, making the setup instructions more accurate.
Documentation update for Azure provider permissions:
Readerrole is needed on the subscription and theContributorrole is needed on the resource group, instead of requiring bothContributorandAzure Container Instances Contributorroles on both scopes. (docs/content/guides/author-apps/azure/howto-azure-container-instances/index.md)Issue reference
N/A