Search code examples
azure-devopsazure-rm

Terraform renew secret for azure application registration, "Authorization_RequestDenied"

I have some Terraform code to renew the secret of an Azure AD application. It's the same service principal and AD app as the Azure DevOps service connection. It rotates it every 30min so I can use the service principal to perform some sql tasks.

Code

# Rotate password every 30min
resource "time_rotating" "azure" {
  rotation_minutes = 30
}

# Generate application temp password
resource "random_password" "ado_temp_secret" {
  length  = 32
  special = true
  keepers = {
    expiry = time_rotating.azure.rotation_rfc3339
  }
}

# Create temp secret for ADO Service Connection application
resource "azuread_application_password" "ado_temp_secret" {
  application_object_id = data.azuread_application.ado_service_connection.object_id
  description           = "${module.sql_server.sql_server_name} Temp Password"
  value                 = random_password.ado_temp_secret.result
  end_date              = time_rotating.azure.rotation_rfc3339
}

This works from my local CLI when I authenticate with my own Azure user. But it doesn't work when using a DevOos pipeline task.

Task

    - task: TerraformCLI@0
      displayName: Terraform Apply
      inputs:
        command: 'apply'
        workingDirectory: '${{ parameters.TerraformWorkingDirectory }}'
        environmentServiceName: '${{ parameters.ServiceConnection }}'
        runAzLogin: true
        commandOptions: '${{ parameters.TerraformClioptions }}'
        allowTelemetryCollection: false

The value for environmentServiceName would be the same service connection I am trying to refresh the password for.

The pipeline has an error:

azuread_application_password.ado_temp_secret: Destroying... [<id>]
╷
│ Error: Removing password credential "<credentials>" from application with object ID "<id>"
│ 
│ graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding
│ to request: StatusCode=403 -- Original Error: autorest/azure: Service
│ returned an error. Status=403 Code="Unknown" Message="Unknown service
│ error"
│ Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2021-04-27T06:29:38","message":{"lang":"en","value":"Insufficient
│ privileges to complete the
│ operation."},"requestId":"<id>"}}]
╵

So obviously the issues is permissions. But I am unable to find which permission is needed. Would it be because it's trying to remove a secret from itself? Even though a different secret?

Solution

  • Application Admistrator was needed for the role. And Application Read/Write for the API permission