Troubleshoot the LinkedAuthorizationFailed error code

Summary

Use this article to troubleshoot the LinkedAuthorizationFailed error when you create or deploy an Azure Kubernetes Service (AKS) cluster so you can complete the operation successfully.

Symptoms

When you try to create an AKS cluster, you receive the following error message:

Reconcile VNet failed.

Details: VNetReconciler retry failed:

Category: ClientError; SubCode: LinkedAuthorizationFailed;

Dependency: Microsoft.Network/virtualNetworks; OrginalError: Code="LinkedAuthorizationFailed"

Message="The client '12345678-1234-1234-1234-123456789098' with object id '123456789-1234-1234-1234-1234567890987' has permission to perform action 'Microsoft.Network/virtualNetworks/write' on scope '/subscriptions/<subscription-id-guid>/resourceGroups/MC_MyRG_westeurope/providers/Microsoft.Network/virtualNetworks/aks-vnet'; however, it does not have permission to perform action 'Microsoft.Network/ddosProtectionPlans/join/action' on the linked scope(s) '/subscriptions/<subscription-id-guid>/resourcegroups/ddos-protection-plan-rg/providers/microsoft.network/ddosprotectionplans/upmddosprotectionplan' or the linked scope(s) are invalid.";

AKSTeam: Networking, Retriable: false.

Cause

A service principal doesn't have permission to use a resource that's required for cluster creation.

Solution

Grant the service principal permissions to use the resource that's mentioned in the error message. The example output in the "Symptoms" section provides the following information.

For more information about how to grant permissions to the service principal, see Assign Azure roles using the Azure portal.

More information

• General troubleshooting of AKS cluster creation issues