Unable Create Service Account

[S.Net]

I'm trying to create the Service Account from Azure appliance but I receive everytime this message

Specified account must be assigned a built-in Contributor role or custom role with similar permissions to the subscription scope to work with the subscription Microsoft Azure . Missing permissions: Microsoft.Compute/galleries/share/action

The user is Owner so I don't understand why there's this error....the Application in Azure AD was created and even I try to use the existing application, the error is the same.

Any clue?

[Mike Resseler]

Hey @s.net

It seems that there are suddenly some changes on the MSFT side that break our “permissions” logic. It seems to be not documented yet. Could you please create a support call and post the case ID here?

Thanks
Mike

[S.Net]

04493913

[abel.laime]

Hi,
I have the same problem too.
¿What is the solution?
Thanks

[giupeppe1984]

Hi support,
me too the same problem!
It's a solution?!

Best Regards

[veremin]

The issue has not been resolved yet, so, Abel and Giusseppe, kindly, open your own tickets with our support team. Thanks!

[S.Net]

So there's something between Veeam and Azure....good...

[abel.laime]

I already made the ticket, I await a prompt response.
Thanks.

[melzisme]

gosh.. i thought i was the only one having such issue until i saw this.
gonna log a ticket as well.

[abel.laime]

In my case the error appeared last week, it is a relatively new error.

[atsrl]

Same issue too.
Case open: #04498450

[abel.laime]

Hi,
I got a reply, but the error persists.
The idea is to create the application registry manually in portal azure and then in the installation of the service account in Veeam azure, select "Create an Azure account in VB using this application (choose in wizard ‚specify existing service account)".
The error that appears is the same as always.
"Specified account must be assigned a built-in Contributor role or custom role with similar permissions to the subscription scope to work with the subscription Microsoft Azure . Missing permissions: Microsoft.Compute/galleries/share/action"

[atsrl]

hi abel.laime, thanks for sharing.
prior to open the support ticket we try on this manner too, but as you say the error persist.

[abel.laime]

Friends, the problem is already solved.
I thank veeam support for the attention and effectiveness in solving the incident.
The problem was due to the AD azure API and Veeeam Azure, it could not register the app automatically in the azure portal, and that caused the roles and permissions error.
On the VBAZ OS, a linux, connect by ssh, and verify the veeamazurebackup service, it has to be up.
Then, perform the manual registration of the app, and continue then in the installation of the service account in Veeam azure, select "Create an Azure account in VB using this application (choose in wizard ‚specify existing service account)".
* In the event that this does not work, you must install a .deb package for linux ubuntu 18.4.This package was sent by veeam support.
* To run this package, it must be downloaded and unzipped in OS VBAZ, and install "apt-get install /<directory of the unzipped package>", example: sudo apt-get install /tmp/veeamazurebackup_xxxxxxx.deb
* Finally check the status of the service, example: "systemctl status veeamazurebackup".
I hope it is useful for the veeam community in azure.
I am available to help anyone who requires it, please write privately.
bye

[atsrl]

Hi abel.laim.
Veeam provide to us the same solution, and works perfect!
Thks!

[jabettan]

I was having the same issue and was able to solve it with a custom role applied to the service account
Following is the JSON for the role:
The line "Microsoft.Compute/galleries/share/action" is the most important change and currently not documented as a requirement in Veeam's KB:

Code: Select all

{
	"properties":{
		"roleName":"Veeam Backup Role",
		"description":"https://www.veeam.com/kb3154",
		"assignableScopes":[
			"/subscriptions/ENTER-THE-REAL-SUB-ID-HERE"
		],
		"permissions":[
			{
				"actions":[
					"Microsoft.Compute/snapshots/delete",
					"Microsoft.Compute/snapshots/write",
					"Microsoft.Compute/snapshots/read",
					"Microsoft.Compute/virtualMachines/read",
					"Microsoft.Compute/virtualMachines/write",
					"Microsoft.Compute/virtualMachines/delete",
					"Microsoft.Compute/disks/read",
					"Microsoft.Compute/disks/delete",
					"Microsoft.Compute/disks/write",
					"Microsoft.Resources/subscriptions/resourceGroups/read",
					"Microsoft.Resources/subscriptions/resourceGroups/write",
					"Microsoft.Resources/subscriptions/resourceGroups/delete",
					"Microsoft.Storage/storageAccounts/write",
					"Microsoft.Storage/storageAccounts/read",
					"Microsoft.Storage/storageAccounts/delete",
					"Microsoft.Compute/galleries/share/action"
				],
				"notActions":[],
				"dataActions":[],
				"notDataActions":[]
			}
		]
	}
}

[sukpdg]

Same issue here -#
Case # 04514536

[DanielSch]

Same issue for me.
Veeam support told me that there is no hotfix needed, but I think I need the deb package too.
Case # 04516308

[victor.rios]

I got the same error in the last step. The way I solved it was by creating a custom role on the subscription (Subscription->Access control IAM-> Add ->Add custom role. Set the information in basic and in Permissions tab click add permissions. Set Microsoft.Compute/galleries/share/action in the search box and click on Microsoft Compute result. Click on the Other:Share Gallery. Review + create.
In the check, access tab select Add roles assignments. Click on the role just created and in the select search for "veeambackup" (this is the application name created for the veeam wizard) and save. Next in the veeam wizard click finish and got it.

[eeberg]

We've made a short video that walks you through the process of creating your own service account (app registration, role, registration). Located here: https://veeam.wistia.com/medias/ptm9bmf61z

[jgrote]

I created a powershell function to automate the process
https://gist.github.com/JustinGrote/6cc ... 88735a1a5f

[jgrote]

Also related: It appears in the logs that you can no longer do a "least privilege" account, it is explicity looking for "*" all permissions.

1/4/2021 10:12:44 PM 10 (1) Warning: Missing permissions: *

And then tells me I need a contributor equivalent role. That's totally unacceptable from a security standpoint, please allow this to be scoped to a custom role that isn't just Contributor with another name (as your video shows), that doesn't count...

[arnaud.rigole]

Hi everyone,

Issue still present in 2022 !
Followed the KB https://www.veeam.com/kb3154 and that thread, he is my json custom role definition:

Code: Select all

{
    "id": "/subscriptions/[redacted]",
    "properties": {
        "roleName": "[redacted]",
        "description": "",
        "assignableScopes": [
            "/subscriptions/[redacted]",
            "/subscriptions/[redacted]",
            "/subscriptions/[redacted]",
            "/subscriptions/[redacted]"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/*/write",
                    "Microsoft.Commerce/RateCard/read",
                    "Microsoft.Compute/galleries/share/action",
                    "Microsoft.Compute/disks/beginGetAccess/action",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.Compute/disks/endGetAccess/action",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/write",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/snapshots/read",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/virtualMachines/deallocate/action",
                    "Microsoft.Compute/virtualMachines/delete",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/extensions/write",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/runCommand/action",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/write",
                    "Microsoft.DevTestLab/Schedules/write",
                    "Microsoft.Network/networkInterfaces/delete",
                    "Microsoft.Network/networkInterfaces/join/action",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkInterfaces/write",
                    "Microsoft.Network/networkSecurityGroups/join/action",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/publicIPAddresses/join/action",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/publicIPAddresses/delete",
                    "Microsoft.Network/publicIPAddresses/write",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.Network/virtualNetworks/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action",
                    "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read",
                    "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write",
                    "Microsoft.ServiceBus/namespaces/queues/delete",
                    "Microsoft.ServiceBus/namespaces/queues/read",
                    "Microsoft.ServiceBus/namespaces/queues/write",
                    "Microsoft.ServiceBus/namespaces/read",
                    "Microsoft.ServiceBus/namespaces/write",
                    "Microsoft.ServiceBus/register/action",
                    "Microsoft.Sql/locations/*",
                    "Microsoft.Sql/managedInstances/databases/delete",
                    "Microsoft.Sql/managedInstances/databases/read",
                    "Microsoft.Sql/managedInstances/databases/write",
                    "Microsoft.Sql/managedInstances/encryptionProtector/read",
                    "Microsoft.Sql/managedInstances/read",
                    "Microsoft.Sql/servers/databases/azureAsyncOperation/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
                    "Microsoft.Sql/servers/databases/usages/read",
                    "Microsoft.Sql/servers/databases/write",
                    "Microsoft.Sql/servers/databases/delete",
                    "Microsoft.Sql/servers/elasticPools/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/databases/syncGroups/read",
                    "Microsoft.Sql/servers/encryptionProtector/read",
                    "Microsoft.Storage/storageAccounts/blobServices/read",
                    "Microsoft.Storage/storageAccounts/listKeys/action",
                    "Microsoft.Storage/storageAccounts/managementPolicies/write",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/write",
                    "Microsoft.Authorization/roleDefinitions/write",
                    "Microsoft.Compute/diskEncryptionSets/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/keys/versions/read",
                    "Microsoft.KeyVault/vaults/deploy/action",
                    "Microsoft.KeyVault/vaults/keys/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Veeam logs (/var/log/veeam) shows:

Code: Select all

Warning: Missing permissions: Microsoft.KeyVault/vaults/keys/read, Microsoft.KeyVault/vaults/keys/encrypt/action, Microsoft.KeyVault/vaults/keys/decrypt/action
[28.01.2022 17:35:16]   11 (1) Error: An exception occurred at /api/v3/accounts/azure/service/listSubscriptionsByApp, trace ID:[redacted]. Specified account must be assigned a Veeam Service Account role, Contributor with Key Vault Crypto Officer role, or a custom role with similar permissions to the subscription scope to work with the subscription [redacted] ([redacted])

The mentioned /keys/encrypt/action & /keys/decrypt/action doesn't even exist in Azure RBAC !

How do you guys had this done... ?
Thanks!

[Vitaliy S.]

Hi Arnaud,

I see that you didn't specify any dataActions, as it is advised in the User Guide page over here. Can you do that and let us know if that helps?

Thanks!

[michelkeus]

Hi Vitaly,

I ran into a similar issue like Arnaud did and with permissions needed which are not listed in the KB3154 nor in the Documentation of VBA. Everything was working fine for me until I installed updates today. Now I am trying to fix stuff again but still running into the error: " Specified account must be assigned a Veeam Service Account role, Contributor with Key Vault Crypto Officer role, or a custom role with similar permissions to the subscription scope to work with the subscription XXX (xxxx)"

Apart from not being a happy customer at the moment I am not happy with the application requesting the following additional permissions:
- Microsoft.Network/virtualNetworks/delete
- Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read

No way in hell am I allowing this application to delete VNETs in production. Not if I am feeling a little bit like a beta-tester at this point.

Update:
I see that the "new permissions" are part of this:

Workers
Permissions for deleting networks belonging to workers configuration are not granted to the Azure account by default.

If I specify a VNET + subnet, Veeam should NEVER have the opportunity to delete the entire VNET; especially if one does not know if a VNET is dedicated or not. This permission is quite excessive.

[Vitaliy S.]

Hi Michel,

Thanks for bringing this up! We can make this permission optional, but you will need to clean up the networks if/when workers are no longer used. Would that be an acceptable solution we can implement in vNext?

Thanks!

[Vitaliy S.]

A quick update to this > we decided to re-package the 3a release and remove the logic of requiring some permissions that might be "too much" for you to assign the backup service account. Right now the account will be created in any case, but it will be up to you if you want to assign those permissions or do the "clean-up" in the production manually. Thanks for your feedback, guys!

[ortec-RW]

Sorry to dig up this old-ish thread.

Is there any change someone, preferably from Veeam, can share the up-to-date JSON file for the Service Account permissions ? For the re-packaged 3e Release.
I cannot use the installer to create the service account and persmissions for me, due to the way our Tenant is set up with it's Subscriptions and my admin permissions. So instead I need to prepare the service account via an Azure Registration beforehand and assign the permissions with a JSON. Our Veeam4Azure doesn't work and I'd like to rule out any possible causes.

Or can we confirm the JSON posted by Arnaud on Jan 28th is the correct one ?

Greets
RIchard

[Vitaliy S.]

Richard,

The JSON in the documentation must be already up-to-date > Azure Service Account Permissions. Please let us know if you're able to register the account with these instructions or not.

Thanks!

[ortec-RW]

Hi Vitaly

I managed to use a JSON with the permissions in the documentation. And that JSON seemed to provide the proper permissions. Not sure why it didn't work before, but Veeam for Azure now works.

A suggestion though. Just provide the JSON as a downloadable file somehwere, but also explain how to use it. Step by step. I'm not a JSON expert, and I don't expect to ever become one. It's perhaps the 2nd time I've ever used it. I had to Google around to understand how you can use it to create a custom role in Azure. Once you've seen it happen, it all makes sense and is very easy. But if you've never seen it, you don't know what the hell it means. Especially for us old-time on-premise nerds. It's like explaining riding a bicyle to someone who's never even seen one.

The other option to have the installer create the permissions for you only works if your Azure account is allowed to create App Registrations in Azure AD, and at the same time manage the subscription where Veeam Backup for Azure is to be deployed. All in 1 account. This is often not the case. In a test-Azure Tenant you often have everything in one subscription, but in a large company that uses the Cloud Adoption Framework (CAF) for instance, the subscriptions are seperate. And they use PIM and MFA. Your only option is to use the JSON, and I actually prefer it now that I know how to use it.

Thanks for the help.

Greetz
Richard