Agentless, cloud-native backup for Microsoft Azure
Post Reply
S.Net
Enthusiast
Posts: 81
Liked: 2 times
Joined: Dec 10, 2012 2:06 pm
Full Name: S.Net
Contact:

Unable Create Service Account

Post by S.Net » 1 person likes this post

I'm trying to create the Service Account from Azure appliance but I receive everytime this message

Specified account must be assigned a built-in Contributor role or custom role with similar permissions to the subscription scope to work with the subscription Microsoft Azure . Missing permissions: Microsoft.Compute/galleries/share/action

The user is Owner so I don't understand why there's this error....the Application in Azure AD was created and even I try to use the existing application, the error is the same.

Any clue?

Mike Resseler
Product Manager
Posts: 6493
Liked: 816 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Unable Create Service Account

Post by Mike Resseler »

Hey @s.net

It seems that there are suddenly some changes on the MSFT side that break our “permissions” logic. It seems to be not documented yet. Could you please create a support call and post the case ID here?

Thanks
Mike

S.Net
Enthusiast
Posts: 81
Liked: 2 times
Joined: Dec 10, 2012 2:06 pm
Full Name: S.Net
Contact:

Re: Unable Create Service Account

Post by S.Net »

04493913

abel.laime
Novice
Posts: 7
Liked: never
Joined: Nov 13, 2020 2:53 pm
Full Name: Abel Laime
Contact:

Re: Unable Create Service Account

Post by abel.laime »

Hi,
I have the same problem too.
¿What is the solution?
Thanks
Abel Laime |

Technical Engineer Microsoft Cloud Datacenter Management

giupeppe1984
Lurker
Posts: 1
Liked: 1 time
Joined: Nov 13, 2020 9:20 pm
Full Name: Giuseppe De Leo
Contact:

Re: Unable Create Service Account

Post by giupeppe1984 » 1 person likes this post

Hi support,
me too the same problem!
It's a solution?!

Best Regards

veremin
Product Manager
Posts: 18005
Liked: 1717 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Unable Create Service Account

Post by veremin »

The issue has not been resolved yet, so, Abel and Giusseppe, kindly, open your own tickets with our support team. Thanks!

S.Net
Enthusiast
Posts: 81
Liked: 2 times
Joined: Dec 10, 2012 2:06 pm
Full Name: S.Net
Contact:

Re: Unable Create Service Account

Post by S.Net »

So there's something between Veeam and Azure....good...

abel.laime
Novice
Posts: 7
Liked: never
Joined: Nov 13, 2020 2:53 pm
Full Name: Abel Laime
Contact:

Re: Unable Create Service Account

Post by abel.laime »

I already made the ticket, I await a prompt response.
Thanks.
Abel Laime |

Technical Engineer Microsoft Cloud Datacenter Management

melzisme
Lurker
Posts: 1
Liked: 1 time
Joined: Nov 16, 2020 10:47 am
Full Name: Melvin W
Contact:

Re: Unable Create Service Account

Post by melzisme » 1 person likes this post

gosh.. i thought i was the only one having such issue until i saw this.
gonna log a ticket as well.

abel.laime
Novice
Posts: 7
Liked: never
Joined: Nov 13, 2020 2:53 pm
Full Name: Abel Laime
Contact:

Re: Unable Create Service Account

Post by abel.laime »

In my case the error appeared last week, it is a relatively new error.
Abel Laime |

Technical Engineer Microsoft Cloud Datacenter Management

atsrl
Service Provider
Posts: 68
Liked: 7 times
Joined: Jul 08, 2016 1:58 pm
Full Name: AT SRL
Contact:

Re: Unable Create Service Account

Post by atsrl »

Same issue too.
Case open: #04498450

abel.laime
Novice
Posts: 7
Liked: never
Joined: Nov 13, 2020 2:53 pm
Full Name: Abel Laime
Contact:

Re: Unable Create Service Account

Post by abel.laime »

Hi,
I got a reply, but the error persists.
The idea is to create the application registry manually in portal azure and then in the installation of the service account in Veeam azure, select "Create an Azure account in VB using this application (choose in wizard ‚specify existing service account)".
The error that appears is the same as always.
"Specified account must be assigned a built-in Contributor role or custom role with similar permissions to the subscription scope to work with the subscription Microsoft Azure . Missing permissions: Microsoft.Compute/galleries/share/action"
:cry:
Abel Laime |

Technical Engineer Microsoft Cloud Datacenter Management

atsrl
Service Provider
Posts: 68
Liked: 7 times
Joined: Jul 08, 2016 1:58 pm
Full Name: AT SRL
Contact:

Re: Unable Create Service Account

Post by atsrl »

hi abel.laime, thanks for sharing.
prior to open the support ticket we try on this manner too, but as you say the error persist.

abel.laime
Novice
Posts: 7
Liked: never
Joined: Nov 13, 2020 2:53 pm
Full Name: Abel Laime
Contact:

Re: Unable Create Service Account

Post by abel.laime »

Friends, the problem is already solved.
I thank veeam support for the attention and effectiveness in solving the incident.
The problem was due to the AD azure API and Veeeam Azure, it could not register the app automatically in the azure portal, and that caused the roles and permissions error.
On the VBAZ OS, a linux, connect by ssh, and verify the veeamazurebackup service, it has to be up.
Then, perform the manual registration of the app, and continue then in the installation of the service account in Veeam azure, select "Create an Azure account in VB using this application (choose in wizard ‚specify existing service account)".
* In the event that this does not work, you must install a .deb package for linux ubuntu 18.4.This package was sent by veeam support.
* To run this package, it must be downloaded and unzipped in OS VBAZ, and install "apt-get install /<directory of the unzipped package>", example: sudo apt-get install /tmp/veeamazurebackup_xxxxxxx.deb
* Finally check the status of the service, example: "systemctl status veeamazurebackup".
I hope it is useful for the veeam community in azure.
I am available to help anyone who requires it, please write privately.
bye
:D
Abel Laime |

Technical Engineer Microsoft Cloud Datacenter Management

atsrl
Service Provider
Posts: 68
Liked: 7 times
Joined: Jul 08, 2016 1:58 pm
Full Name: AT SRL
Contact:

Re: Unable Create Service Account

Post by atsrl » 1 person likes this post

Hi abel.laim.
Veeam provide to us the same solution, and works perfect!
Thks!

jabettan
Lurker
Posts: 1
Liked: never
Joined: Oct 19, 2016 4:49 pm
Full Name: jason abettan
Contact:

Re: Unable Create Service Account

Post by jabettan »

I was having the same issue and was able to solve it with a custom role applied to the service account
Following is the JSON for the role:
The line "Microsoft.Compute/galleries/share/action" is the most important change and currently not documented as a requirement in Veeam's KB:

Code: Select all

{
	"properties":{
		"roleName":"Veeam Backup Role",
		"description":"https://www.veeam.com/kb3154",
		"assignableScopes":[
			"/subscriptions/ENTER-THE-REAL-SUB-ID-HERE"
		],
		"permissions":[
			{
				"actions":[
					"Microsoft.Compute/snapshots/delete",
					"Microsoft.Compute/snapshots/write",
					"Microsoft.Compute/snapshots/read",
					"Microsoft.Compute/virtualMachines/read",
					"Microsoft.Compute/virtualMachines/write",
					"Microsoft.Compute/virtualMachines/delete",
					"Microsoft.Compute/disks/read",
					"Microsoft.Compute/disks/delete",
					"Microsoft.Compute/disks/write",
					"Microsoft.Resources/subscriptions/resourceGroups/read",
					"Microsoft.Resources/subscriptions/resourceGroups/write",
					"Microsoft.Resources/subscriptions/resourceGroups/delete",
					"Microsoft.Storage/storageAccounts/write",
					"Microsoft.Storage/storageAccounts/read",
					"Microsoft.Storage/storageAccounts/delete",
					"Microsoft.Compute/galleries/share/action"
				],
				"notActions":[],
				"dataActions":[],
				"notDataActions":[]
			}
		]
	}
}

sukpdg
Lurker
Posts: 1
Liked: never
Joined: Nov 26, 2020 8:10 am
Full Name: Paul Green
Contact:

Re: Unable Create Service Account

Post by sukpdg »

Same issue here -#
Case # 04514536

DanielSch
Lurker
Posts: 2
Liked: never
Joined: Aug 30, 2016 7:59 am
Contact:

Re: Unable Create Service Account

Post by DanielSch »

Same issue for me.
Veeam support told me that there is no hotfix needed, but I think I need the deb package too.
Case # 04516308

victor.rios
Lurker
Posts: 1
Liked: 1 time
Joined: Dec 01, 2020 3:48 pm
Full Name: Victor Rios
Contact:

Re: Unable Create Service Account

Post by victor.rios » 1 person likes this post

I got the same error in the last step. The way I solved it was by creating a custom role on the subscription (Subscription->Access control IAM-> Add ->Add custom role. Set the information in basic and in Permissions tab click add permissions. Set Microsoft.Compute/galleries/share/action in the search box and click on Microsoft Compute result. Click on the Other:Share Gallery. Review + create.
In the check, access tab select Add roles assignments. Click on the role just created and in the select search for "veeambackup" (this is the application name created for the veeam wizard) and save. Next in the veeam wizard click finish and got it.

eeberg
Veeam Software
Posts: 28
Liked: 10 times
Joined: Apr 28, 2020 3:01 pm
Full Name: Eric Ellenberg
Location: Atlanta, GA, USA
Contact:

Re: Unable Create Service Account

Post by eeberg » 3 people like this post

We've made a short video that walks you through the process of creating your own service account (app registration, role, registration). Located here: https://veeam.wistia.com/medias/ptm9bmf61z

jgrote
Influencer
Posts: 10
Liked: 4 times
Joined: Jul 13, 2010 12:14 am
Full Name: Justin Grote
Contact:

Re: Unable Create Service Account

Post by jgrote »

I created a powershell function to automate the process
https://gist.github.com/JustinGrote/6cc ... 88735a1a5f

jgrote
Influencer
Posts: 10
Liked: 4 times
Joined: Jul 13, 2010 12:14 am
Full Name: Justin Grote
Contact:

Re: Unable Create Service Account

Post by jgrote »

Also related: It appears in the logs that you can no longer do a "least privilege" account, it is explicity looking for "*" all permissions.

1/4/2021 10:12:44 PM 10 (1) Warning: Missing permissions: *

And then tells me I need a contributor equivalent role. That's totally unacceptable from a security standpoint, please allow this to be scoped to a custom role that isn't just Contributor with another name (as your video shows), that doesn't count...

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest