azurerm role assignment, not able to assign role when used client_id, client_secret, subscription_id, tenant_id in provider

Question

I am using terraform to assign "Network Contributor" role to an azure vnet and facing the below problem. Not able to understand the problem and request your help.

Working Scenario (this assigns the role successfully to vnet):

1. az login (it gave a device code and authenticated via browser).
2. Terraform code;

   terraform {
     required_providers {
       azurerm = {
          source  = "hashicorp/azurerm"
          version = "~> 2.0"
       }
   }
   required_version = "~> 1.0"
   }
   
   provider "azurerm" {
      features {}
   }
   
   resource "azurerm_role_assignment" "example" {
     scope              = "/subscriptions/xxx/resourceGroups/scale-rg/providers/Microsoft.Network/virtualNetworks/scale-vnet"
     role_definition_id = "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
     principal_id       = "393b9aba-8a3d-48f5-b5fe-c0ed0eb81ce5"
   }```
   
   

Non-working scenario (Need help):

1. Different machine (no az login)
2. Terraform code;

 terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
       version = "~> 2.0"
     }
   }
   required_version = "~> 1.0"
 }

provider "azurerm" {
  features {}

  use_cli         = false
  subscription_id = "xxx"
  client_id       = "xyz"
  client_secret   = "abc"
  tenant_id       = "fcf"
}

resource "azurerm_role_assignment" "example" {
   scope              = "/subscriptions/5cd3cd6f-667b-4a89-a046-de077806c368/resourceGroups/spectrum-scale-rg/providers/Microsoft.Network/virtualNetworks/spectrum-scale-vnet"
   role_definition_id = "/subscriptions/5cd3cd6f-667b-4a89-a046-de077806c368/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
   principal_id       = "393b9aba-8a3d-48f5-b5fe-c0ed0eb81ce5"
 }

Where using the above client_id, tenant_id, subscription_id, client_secret (they are obtained from az account show and was able to successfully create other resources like vnet, subnets etc), it gives below error;

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '4d8a138b-5734-441a-a3cd-00f60be1d7c0' with object id '4d8a138b-5734-441a-a3cd-00f60be1d7c0' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxx/resourceGroups/scale-rg/providers/Microsoft.Network/virtualNetworks/scale-vnet/providers/Microsoft.Authorization/roleAssignments/144a2f0d-1f3b-fb7a-3e20-62261e44a9c1' or the scope is invalid. If access was recently granted, please refresh your credentials."

Answer 1

The reason you're getting this error is because your service principal using which you're running your terraform code does not have permission to assign roles.

To fix this, please assign appropriate Azure RBAC role to your service principal in the Azure Subscription. The RBAC roles that would allow role assignment are Owner or User Access Administrator.