I keep getting the AuthorizationFailed error when I try creating managed identity and assigning role assignments. I have done this in the portal, but replicating in terraform has been a pain.
# User Assigned Managed Identity
resource "azurerm_user_assigned_identity" "managed-id" {
resource_group_name = var.resource_group
location = var.location
name = var.name
tags = var.tags
}
resource "azurerm_role_assignment" "rg" {
scope = data.azurerm_resource_group.rg.id
role_definition_name = "Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "vnet" {
scope = data.azurerm_virtual_network.vnet.id
role_definition_name = "Network Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
resource "azurerm_role_assignment" "dns" {
count = "${var.create_dns_ra ? 1 : 0}"
scope = data.azurerm_subscription.sub.id
role_definition_name = "Private DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.managed-id.id
}
After the terraform apply, this is the error for the rg role assignment resource:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219xxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Authorization/roleAssignments/086bxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
Similar error for the vnet role assignment resource:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id '9219bxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4c4xxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/test-RG/providers/Microsoft.Network/virtualNetworks/test-RG-vnet/providers/Microsoft.Authorization/roleAssignments/55adxxxx-xxxx-xxxx-xxxx-xxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
I don't know what I need to get this going, but I'd appreciate any suggestions or solutions to this. Thanks
To create role assignments, you need to assign either User Access Administrator or Owner role to your service principal that includes this permission: "Microsoft.Authorization/roleAssignments/write"
I tried to reproduce the same in my environment via Postman and got below results:
I used below query to create role assignments for resource group and got same error as you like this:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
Response:
I got similar error when I tried to create role assignments for VNet
too like below:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleAssignments/xxxxxxxxxxxxxxxxxxxx?api-version=2022-04-01
{
"properties": {
"roleDefinitionId": "/subscriptions/<subID>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/srivnet/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "ca1xxx18-7561-4b98-987d-ee51xxxxd7"
}
}
Response:
To resolve the error, I assigned Owner
role to the service principal under subscription like below:
After assigning that role, role assignments created successfully on resource group when I ran below query again:
In your case, try assigning your service principal Owner role under subscription to resolve the issue.
If you feel Owner role is more permissive, it's better to create custom RBAC role with "Microsoft.Authorization/roleAssignments/write" permission as suggested in below link.
Reference: Authorization failed when when writing a roleAssignment - Microsoft Q&A by AmanpreetSingh-MSFT