This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 53%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
We see the following K8s event:
Note: AttachVolume.Attach failed for volume "pvc-xxxxxxxx" : rpc error: code = Internal desc = Attach volume /subscriptions/xxxxxxxx/resourceGroups/xxxxxxx-aksmanaged/providers/Microsoft.Compute/disks/pvc-xxxxxxxx to instance aks-sys-xxxxxxxx-vmss000000 failed with PUT http://localhost:7788/subscriptions/xxxxxxx/resourceGroups/xxxxxxx-aksmanaged/providers/Microsoft.Compute/virtualMachineScaleSets/aks-sys-xxxxxxxx-vmss/virtualMachines/0
RESPONSE 403: 403 Forbidden ERROR CODE: LinkedAuthorizationFailed
{ "error": { "code": "LinkedAuthorizationFailed", "message": "The client 'xxxxxxx' with object id 'xxxxxxx' has permission to perform action 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write' on scope /subscriptions/xxxxxxxx-f8f7-4b
Question: How can we see the full "error" message? The interesting part is cut and we cannot evaluate the real problem
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 80%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hi @Chalvatzis, Michael ,
The error "LinkedAuthorizationFailed" with a 403 Forbidden response occurs when the AKS control plane's managed identity lacks permissions to attach the Azure disk (pvc-xxxxxxxx) to the VMSS instance in the aks-sys-xxxxxxxx-vmss scale set.
Root Cause
AKS uses a managed identity for CSI driver operations on managed disks. The client (object ID xxxxxxx) is denied the 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write' action on the VMSS scope due to missing role assignment.
Here are some troubleshooting steps you can try:
Grant the required role to the AKS cluster's identity on the MC_ resource group (xxxxxxx-aksmanaged):
az aks show --resource-group xxxxxxx --name <aks-cluster-name> --query "identityProfile.kubeletidentity.objectId" -o tsv
az role assignment create --assignee <principal-id> --role "Virtual Machine Contributor" --scope /subscriptions/xxxxxxxx/resourceGroups/xxxxxxx-aksmanaged.
az role assignment list --scope /subscriptions/xxxxxxxx/resourceGroups/xxxxxxx-aksmanaged --assignee <principal-id>.kubectl describe pod.Note: Ensure disks are created in the node resource group (not MC_) or use AKS-managed identity with Contributor on both MC_ and disk RGs during cluster upgrades.
Documents:
I hope the above helps. Please let us know if you have any further questions on this.
Thank You!
Hi,
thank you for your reply, but I would like to point out, that your statement:
"AKS uses a managed identity for CSI driver operations on managed disks. The client (object ID xxxxxxx) is denied the 'Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write' action on the VMSS scope due to missing role assignment."
is not correct!
As I wrote, the event Note states that the used client has the permission to write, but the note gets cut and I do not understand where the issue is...
"error": "code": "LinkedAuthorizationFailed", "message": "The client 'xxxxxxx' with object id 'xxxxxxx' has permission to perform action Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write' on scope /subscriptions/xxxxxxxx-f8f7-4b ... (this part is missing!)
We use a userdefinedManagedIdentity. Might this cause trouble with the cost-analyzer?
Hi @Chalvatzis, Michael ,
Yes, using a User-Assigned Managed Identity (UAMI) can lead to a LinkedAuthorizationFailed error if the identity lacks the necessary permissions on all linked resources required for the operation, such as VMSS, disks, network, resource group, or subscription. This issue can also affect tools like a cost analyzer if they initiate ARM operations that need access across multiple resources.
LinkedAuthorizationFailed is an Azure RBAC error that appears when:
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write) on the VMSS scope.Microsoft.ManagedIdentity/userAssignedIdentities/assign/action when a VMSS attaches a user-assigned identity.Because you are using a user‑defined (user‑assigned) managed identity, the VMSS update or write operation usually needs:
Cost analyzers or automation that scale or modify the VMSS on your behalf will fail if the identity they run as does not have both sets of permissions; the identity type (user-assigned vs system-assigned) is not the fundamental problem, the missing RBAC access is.
Minimal setup that usually fixes this
On the VMSS (or its resource group):
Assign role: Virtual Machine Contributor
Principal: the identity used by the cost‑analyzer.
On the user‑assigned managed identity resource:
Assign role: Managed Identity Operator
Principal: the same identity used by the cost‑analyzer.
Documents:
Troubleshoot the LinkedAuthorizationFailed error code
I hope the above helps. Please let us know if you have any further questions on this.
Thank You!!
The issue could be fixed by adding a missing role assignment (at least "Reader") for the UserAssginedManageIdentity to the ressource group, where the AKS ressource was defined.
That was missing :-(
As usual, a stupid misconfiguration.