Janne Mattila

From programmer to programmer -- Programming just for the fun of it

"Error: The client ... has permission to perform action ... however, it does not have permission to perform action(s)..."

Posted on: May 20, 2025

Let’s go through scenario, where AKS operator tries to upgrade cluster but it fails for the following error:

Failed to save Kubernetes service ‘aks-janne’.
Error: The client ‘…’ with object id ‘…’ has permission to perform action ‘Microsoft.ContainerService/managedClusters/write’ on scope ‘/…/Microsoft.ContainerService/managedClusters/aks-janne’;
however, it does not have permission to perform action(s) ‘Microsoft.OperationalInsights/workspaces/sharedkeys/read’ on the linked scope(s) ‘/…/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-c7f…58c-SEC’ (respectively) or the linked scope(s) are invalid.

This unfortunately, will prevent from you to upgrade your cluster. Let me show when you might hit this problem.

Here are the steps, how I can get into that error message. First, I have access to resource group that AKS is deployed:

/assets/posts/2025/05/20/aks-defender/upgrade-0.png

I have Owner role assigned to me:

/assets/posts/2025/05/20/aks-defender/upgrade-1.png

/assets/posts/2025/05/20/aks-defender/upgrade-2.png

If I now select upgrade and hit save:

/assets/posts/2025/05/20/aks-defender/upgrade-3.png

I’m getting the above error:

/assets/posts/2025/05/20/aks-defender/upgrade-4.png

Error message gives hint that it tries to access Log Analytics workspace but I don’t have access to that workspace and therefore, the upgrade is blocked.

Let’s check the JSON View of our AKS resource

/assets/posts/2025/05/20/aks-defender/upgrade-8.png

Select latest API Version and then search Defender:

/assets/posts/2025/05/20/aks-defender/upgrade-9.png

Value for logAnalyticsWorkspaceResourceId happens to be exactly that Log Analytics workspace from the above error message.

It might be that Microsoft Defender for Containers has been deployed by some other team like Platform engineering team using Azure Policies:

/assets/posts/2025/05/20/aks-defender/policy-1.png

And they have configured it to use Log Analytics workspace that you don’t have access to:

/assets/posts/2025/05/20/aks-defender/policy-2.png

For quick workaround, you can disable Defender sensor for the duration of your cluster upgrade. You can do that, since you’re Owner of that resource. Not ideal, but might be just enough to get you unblocked for the upgrade:

az aks update -n aks-janne -g rg-aks-workshop-janne --disable-defender

I’ve executed the above command in Cloud shell:

/assets/posts/2025/05/20/aks-defender/upgrade-5.png

Now if I check the property value of logAnalyticsWorkspaceResourceId, I can see it’s not any more visible in the resource JSON and securityMonitoring is not enabled:

/assets/posts/2025/05/20/aks-defender/upgrade-6.png

Now I can execute the cluster upgrade:

/assets/posts/2025/05/20/aks-defender/upgrade-7.png

Note that deployIfNotExists will automatically deploy Defender back. This can be seen in the Activity log:

/assets/posts/2025/05/20/aks-defender/activity-log-1.png

/assets/posts/2025/05/20/aks-defender/activity-log-2.png

This workaround might get you unblocked but hopefully this gets improved and you wouldn’t need to use it anymore.