azure - Accessing On-Prem data gateway resource from another subscription in same tenant

Question

I am trying to create a SQL connector with details within my ARM Template and deploying through DevOps using ARM template deployment.

My current subscription would like to access our generic subscription so I can add the credentials to the on-premise data gateway connectivity to a SQL Server on-prem.

{
        "type": "Microsoft.Web/connections",
        "apiVersion": "2016-06-01",
        "name": "[parameters('connections_sql_winauth_name')]",
        "location": "northeurope",
        "kind": "V1",
        "properties": {
            "displayName": "winauth-cn",
            "customParameterValues": {},  
            "parameterValues": {
                "server": "[parameters('bi_server_name')]",
                "database": "{dB}",
                "authType": "Windows Authentication",
                "username": "{username}",
                "password": "{password}",
                "gateway": {
                    "id": "/subscriptions/{different subscription}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/connectionGateways/{data gateway-resource-name}"
                }
            },
            "api": {
                "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/northeurope/managedApis/sql')]"
            }
        }
    },

When I try and run deployment pipeline I receive the following error:

2021-01-26T16:49:37.7344633Z ##[error]LinkedAuthorizationFailed: The client 'x' with object id 'y' has permission to perform action 'Microsoft.Web/connections/write' on scope '/subscriptions/{current subscription}/resourcegroups/{mainResourceGroup}/providers/Microsoft.Web/connections/sql-02'; however, it does not have permission to perform action 'Microsoft.Web/connectionGateways/associate/action' on the linked scope(s) '/subscriptions/{differentSubscription}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/connectionGateways/{data gateway-resource-name}' or the linked scope(s) are invalid.

Does anyone have any idea how I can deploy with success? I know this is possible within the portal, but in the portal I am struggling with applying the credentials on the renamed API-connection I have created.

question from:https://stackoverflow.com/questions/65907363/accessing-on-prem-data-gateway-resource-from-another-subscription-in-same-tenant

Answer 1

The error code is LinkedAuthorizationFailed, according to the doc: we need to Check if your account belongs to the same tenant as the resource group that you're deploying to.

And the detailed error message is: it does not have permission to perform action 'Microsoft.Web/connectionGateways/associate/action' on the linked scope(s). We need to check if the role has enough permissions, refer to this doc for more details.