DEVHIDE
Login Or Sign up

Authorization_RequestDenied on terraform apply

46 Views Asked by At

I have an Azure service principal with "Owner" permissions on a subscription

I am using that Service principal to plan and apply my terraform templates

When running locally, everything works as expected

However, when running in a Gitlab CI/CD pipeline, I'm getting the following error:

│ Error: Could not create application
│ 
│   with azuread_application.app-acr-myacrname,
│   on main.tf line 12, in resource "azuread_application" "app-acr-myacrname":
│   12: resource "azuread_application" "app-acr-myacrname" {
│ 
│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.

I am expecting this user to be able to create any resources including assigning RBAC permissions. But it appears to be failing on creating a AzureAD application.

terraform terraform-provider-azure azure-service-principal
Original Q&A
1

There are 1 best solutions below

0
Avinash Sharma On BEST ANSWER

Even though the service principal has "Owner" permissions on the Azure subscription, it lacks the necessary permissions within Azure Active Directory to create applications, which is the problem you are experiencing. There are separate scopes in Azure, and having "Owner" status on a subscription does not automatically give you Azure AD permissions.

To resolve this issue, you can:

  1. Allocate the service principal to a role such as "Application Administrator" or "Cloud Application Administrator" in Azure AD. These roles possess the requisite authorizations to construct and oversee Azure AD and Microsoft 365 applications.

  2. If administrative approval is necessary for certain permissions, make sure that approval is given either manually through the Azure portal or by defining the required permissions and consent for the service principal.

  3. Utilize the most recent iteration of the Terraform AzureAD provider and validate the accuracy of your provider configuration, including credentials and tenancy ID.

Ensure that your request to establish the Azure AD application does not include permissions that go beyond the limits set by the specified role.

This configuration should enable your GitLab CI/CD pipeline to successfully generate Azure AD applications, as intended.

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AZURE

Related Questions in AZURE-SERVICE-PRINCIPAL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.