Reputation: 2273
Cannot Create Azure AD Application with Azure DevOps + Terraform
I'm trying to create an Azure AD application using terraform along with our Azure DevOps pipeline, but I am getting the following error:
1 error(s) occurred:
* module.cluster.module.cluster.azuread_application.cluster: 1 error(s) occurred:
* azuread_application.cluster: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-02-19T23:22:23","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<SOME GUID>"}}]
I'm pretty sure this is because the pipeline's service principal doesn't have the proper permissions within our Azure AD.
This is the offending Terraform code:
resource "azuread_application" "cluster" {
name = "some-application"
}
resource "azuread_service_principal" "cluster" {
application_id = "${azuread_application.cluster.application_id}"
}
Here is what the Terraform Step Looks like (I'm using a Service Connection to supply the service principal).
To configure the service principal, I am selecting "Manage Service Principal" for the Service Connection.
I have then given it all "required permissions" for both Microsoft Graph and Windows Azure Active Directory. I don't think I need the Microsoft Graph, but did that since Windows AAD wasn't working.
Upvotes: 4
Views: 5795
Answers (2)
Reputation: 24569
According to the error information it indicated that you have no permission to do that.
I follow the terraform guide document, we need to assign permissions corrosponding to the application.
NOTE: If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API
During test, I assign the following permission to the Azure Active Diretory, for more information please refer to the screenshot.
Note: Please don't forget to click Grant permissions
Test Result:
Upvotes: 7
Reputation: 51
In order for terraform to access AD and make changes, you need to add these permissions.
You need to give these permissions to the Service principle of the Azure DevOps service connection. Use Manage Service Principle option. In Azure, these are API permissions for the registered app and its Service Principle.
Upvotes: 0
Related Questions
- create azure enterprise application with terraform
- Issue with Application ID URI in Azure AD App registration , while using Terraform
- Terraform azuread_application seems to be missing arguments
- An argument active_directory is not expected here in terraform Azure app
- Getting Error related to Azure App Registration using Terraform
- Error while trying to do App Registration using Terraform Azure AD Provider 2.0
- Azure AD Group- Authorization_RequestDenied - Insufficient privileges to complete the operation
- Getting cyclic error with Terraform while doing Azure app registration
- Create Azure AD Application using terraform(Invalid UUID)
- Cannot create azure ad application with oauth via terraform