AuthorizationFailed - Creating Role Assignments in Azure
I keep getting the AuthorizationFailed error when I try creating managed identity and assigning role assignments. I have done this in the portal, but replicating in terraform has been a pain.
# User Assigned Managed Identity
resource "azurerm_user_assigned_identity" "managed-id" {
resource_group_name = var.resource_group
location = var.location
name = var.name
tags = var.tags
}
resource "azurerm_role_assignment" "rg" {
scope = data.azurerm_resource_group.rg.id
role_definition_name = "Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "vnet" {
scope = data.azurerm_virtual_network.vnet.id
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "dns" {
count = "${var.create_dns_ra ? 1 : 0}"
scope = data.azurerm_subscription.sub.id
role_definition_name = "Private DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
After the terraform apply, this is the error for the rg role assignment resource:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219xxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Authorization/roleAssignments/086bxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
Similar error for the vnet role assignment resource:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Network/virtualNetworks/test-RG-vnet/providers/Microsoft.Authorization/roleAssignments/55adxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
I don't know what I need to get this going, but I'd appreciate any suggestions or solutions to this. Thanks
To create role assignments, you need to assign either User Access Administrator or Owner role to your service principal that includes this permission: "Microsoft.Authorization/roleAssignments/write"
I tried to reproduce the same in my environment via Postman and got below results:
I used below query to create role assignments for resource group and got same error as you like this:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
Response:
I got similar error when I tried to create role assignments for VNet too like below:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
Response:
To resolve the error, I assigned Owner role to the service principal under subscription like below:
After assigning that role, role assignments created successfully on resource group when I ran below query again:
In your case, try assigning your service principal Owner role under subscription to resolve the issue.
If you feel Owner role is more permissive, it's better to create custom RBAC role with "Microsoft.Authorization/roleAssignments/write" permission as suggested in below link.
Reference: Authorization failed when when writing a roleAssignment - Microsoft Q&A by AmanpreetSingh-MSFT
- Scope is not being added to Access Token returned from Azure Ad
- az cli : create container app via yaml fail due to parsing to json
- Display agents API ADO with SystemCapabilities filter
- Azure devops variables are not updating
- Azure DevOps Pipeline Throwing Error with Terraform While Deploying to Azure
- Azure AppService and SQL Server in Docker compose can't connect
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- MongoDB - conditional uniqueness constraints on different "id" fields
- Retry delay on Function with Azure ServiceBus queue trigger
- Azure Static Web App: Add an header for each JS file
- How to configure Application Insights for sending telemetry from .net 4.8 application
- IServiceCollection does not contain a definition for AddAzureClients
- How to authenticate with Azure ACR from Azure container app service
- Azure Cli how to change subscription default
- Problem RDP to Azure Virtual Desktop through Azure Firewall
- az role assignment delete: The request did not have a subscription or a valid tenant level resource provider
- Azure PIM Role Settings for Owner role
- Graphclient ArgumentException: Only HTTP/1.0 and HTTP/1.1 version requests are currently supported. Parameter name: value
- Azure Static Web App ignoring config json sometimes
- How do I avoid "Couldn't find a metric" when creating a metric alert in Bicep
- Using Az.Websites module to set up user assigned managed identity to pull image from ACR
- resource not found with Azure OpenAI service
- Why I'm getting 404 Resource Not Found to my newly Azure OpenAI deployment?
- Azure Service Bus Topic - Using REST API to Send Message - Message going into Dead Letter Queue
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Azure Service Bus - REST API - Sending a message to a Session Enabled Topic/Subscription
- How are you supposed to install a Python library using azure webapp as template?
- Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- Search-AzQuery querying authorizationresources returns 0 records
- Azure APIM: Identifying the API resource id from the portal