Reputation: 990
Principals of type Application cannot validly be used in role assignments
I am deploying a new App Registration via Terraform and then assigning a Role in my Event Hub to that App Registration.
E.G. Deploy App Registration
data "azuread_client_config" "current" {}
resource "azuread_application" "eventhub_auth" {
display_name = "AppReg"
sign_in_audience = "AzureADMyOrg"
owners = [data.azuread_client_config.current.object_id]
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
enabled = true
id = uuid()
value = "admin"
}
app_role {
allowed_member_types = ["User"]
description = "ReadOnly roles have limited query access"
display_name = "ReadOnly"
enabled = true
id = uuid()
value = "User"
}
}
Role Assignment:
resource "azurerm_role_assignment" "receiver" {
scope = resource.azurerm_eventhub_namespace.hub.id
role_definition_name = "Azure Event Hubs Data Receiver"
principal_id = # I have tried the Object_ID, Application_ID and the Tenant_ID here and all of them fail
}
Is there another ID/Service Principle somewhere that I am missing?
Upvotes: 5
Views: 8485
Answers (3)
Reputation: 1376
Tldr:
Use the object id from Enterprise Application as showns on AzureAD (EntraID) screen below:
Explanation:
All applications that get registered in AzureAD (EntraID), in the tenant, two types of objects get created once the app registration is done.
- An Application Object: The Application Object is what you see under App Registrations in Azure active directory blade. Along with Client Secret, this one is used for authentication. E.g.
Connect-AzAccount -Credential <Credential PS Object With AppID> -Tenant XXX -ServicePrincipal - A Service Principal Object: The Service Principal Object is what you see under the Enterprise Registration in Azure active directory blade. This one is used for authorization. E.g.
New-AzRoleAssignment -ObjectId <Object ID from Enterprise App> -RoleDefinitionName XX -Scope XX
In my case I mistakenly used object id from the App Registration Screen of AzureAD (EntraID), and got this error.
After using the object id from Enterprise Application showns on AzureAD (EntraID) screen this error was gone.
Upvotes: 16
Reputation: 61
you need to run az ad sp list --filter "displayName eq 'your_service_principal_name'" and take from the response ID parameter
Upvotes: 4
Reputation: 990
I managed to work this out. Working config is:
resource "azuread_service_principal" "eventhub" {
application_id = azuread_application.eventhub_auth.application_id
}
resource "azurerm_role_assignment" "receiver" {
scope = resource.azurerm_eventhub_namespace.hub.id
role_definition_name = "Azure Event Hubs Data Receiver"
principal_id = azuread_service_principal.eventhub.id
}
Upvotes: 3
Related Questions
- A reference to resource type must be followed by at least one attribute access, specifying the resource name
- Getting Insufficient privileges to complete the operation error while creating service principal from terraform
- Azure devops pipeline terraform error - 403 when attempting role assignment
- What should be principal id while assigning role access to App?
- Terraform - Azure Service Principal deployment - insufficient permissions
- AZURE Terraform Service Principal authentication Error
- Assign role to user using Service principal
- Assign a managed identity access to an application role using Terraform
- How to create service principal in azure using azuread_application in terraform, Error Insufficient privileges to complete the operation
- Terraform fails using an Azure service principal for authentication