Hello, I'm trying to deploy an azure container app but has some access issues. The manage environment exists since before, but I have the contributor role on both the resource group and environment. When trying to create the container app I get the following error:

error: PUT <https://management.azure.com/subscriptions/4fd6df59-480d-4b34-9818-394062e697d6/resourceGroups/elkds-sandbox-tomas-rg/providers/Microsoft.App/containerApps/monostore-cart-module>
    --------------------------------------------------------------------------------
    RESPONSE 403: 403 Forbidden
    ERROR CODE: LinkedAuthorizationFailed
    --------------------------------------------------------------------------------
    {
      "error": {
        "code": "LinkedAuthorizationFailed",
        "message": "The client 'email' with object id 'ojbjectId' has permission to perform action '<http://Microsoft.App/containerApps/write|Microsoft.App/containerApps/write>' on scope '/subscriptions/4fd6df59-480d-4b34-9818-394062e697d6/resourceGroups/rgName/providers/Microsoft.App/containerApps/containerapp-name'; however, it does not have permission to perform action(s) '/join/action' on the linked scope(s) '/providers/Microsoft.App/managedEnvironments/envname' (respectively) or the linked scope(s) are invalid."
      }
    }

We have tried everything except giving owner access basically. Any ideas?

I see you already found this issue 🙂 Does this not help?

Yes, found and our IAM admin has given me contributor role on the resource group, on the resource and also given me a custom role with the following actions:

"actions": [
                    "Microsoft.Web/kubeEnvironments/read",
                    "Microsoft.Web/kubeEnvironments/join/action",
                    "Microsoft.Web/containerApps/revisions/read",
                    "Microsoft.Web/containerApps/revisions/activate/action",
                    "Microsoft.Web/containerApps/revisions/deactivate/action",
                    "Microsoft.Web/containerApps/revisions/deactivate/restart/action",
                    "Microsoft.Web/containerApps/operationResults/read",
                    "Microsoft.Web/containerApps/write",
                    "Microsoft.Web/containerApps/read"
                ],

So it is very unclear what more I need. Contributor on the environment and resource group should be more than enough if you ask me.

I agree that Contributor should be enough. They’re doing something odd on the Azure side.

I've been using the built-in role,

Container Apps Contributor

– It's not yet documented but it's there and can be assigned: https://www.azadvertizer.net/azrolesadvertizer/358470bc-b998-42bd-ab17-a7e34c199c0f.html

will try... right now I've basically been assigned God and it still doesn't work 😄.