Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_application: Authorization_RequestDenied: Insufficient privileges to complete the operation #1408

Open
awaisahmedawan opened this issue Jun 12, 2024 · 1 comment
Open

azuread_application: Authorization_RequestDenied: Insufficient privileges to complete the operation #1408

awaisahmedawan opened this issue Jun 12, 2024 · 1 comment
Labels
question

Comments

@awaisahmedawan
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform_1.8.1_linux_amd64

Affected Resource(s)

  • azuread_application

Terraform Configuration Files

resource "azuread_application" "sso_app" {
  display_name            = var.sso_app_display_name
  sign_in_audience        = "AzureADMyOrg"
  group_membership_claims = ["ApplicationGroup"]

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"
    }
  }

  web {
    redirect_uris = ["https://${var.argocd_config.hostname}/auth/callback"]
  }

  public_client {
    redirect_uris = ["http:https://localhost:8085/auth/callback"]
  }

  optional_claims {
    access_token {
      name = "groups"
    }

    id_token {
      name = "groups"
    }

    saml2_token {
      name = "groups"
    }
  }
}

Debug Output

Planning failed. Terraform encountered an error while generating this plan.

│ Error: Retrieving Application with object ID "0efb6050-3049-415e-83e7-4d3f3c4d6f92"

│ with azuread_application.sso_app,
│ on ad.tf line 1, in resource "azuread_application" "sso_app":
│ 1: resource "azuread_application" "sso_app" {

│ ApplicationsClient.BaseClient.Get(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.


│ Error: Unauthorized

│ with kubernetes_namespace.argocd,
│ on main.tf line 1, in resource "kubernetes_namespace" "argocd":
│ 1: resource "kubernetes_namespace" "argocd" {


time=2024-06-11T14:30:55Z level=error msg=terraform invocation failed in /builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd/.terragrunt-cache/WtvgRNsKGK4kxhkbvUCP4kWR5Is/YKKYT5K-8aPuzHHttAxD0K0sA20/azure/argocd prefix=[/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd]
time=2024-06-11T14:30:55Z level=error msg=Module /builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd has finished with an error: 1 error occurred:
* [/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd/.terragrunt-cache/WtvgRNsKGK4kxhkbvUCP4kWR5Is/YKKYT5K-8aPuzHHttAxD0K0sA20/azure/argocd] exit status 1
prefix=[/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd]
time=2024-06-11T14:30:55Z level=info msg=╷
│ Error: Retrieving Application with object ID "0efb6050-3049-415e-83e7-4d3f3c4d6f92"

│ with azuread_application.sso_app,
│ on ad.tf line 1, in resource "azuread_application" "sso_app":
│ 1: resource "azuread_application" "sso_app" {

│ ApplicationsClient.BaseClient.Get(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.


│ Error: Unauthorized

│ with kubernetes_namespace.argocd,
│ on main.tf line 1, in resource "kubernetes_namespace" "argocd":
│ 1: resource "kubernetes_namespace" "argocd" {


time=2024-06-11T14:30:55Z level=error msg=terraform invocation failed in /builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd/.terragrunt-cache/WtvgRNsKGK4kxhkbvUCP4kWR5Is/YKKYT5K-8aPuzHHttAxD0K0sA20/azure/argocd prefix=[/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd]
time=2024-06-11T14:30:55Z level=error msg=1 error occurred:
* [/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd/.terragrunt-cache/WtvgRNsKGK4kxhkbvUCP4kWR5Is/YKKYT5K-8aPuzHHttAxD0K0sA20/azure/argocd] exit status 1

Panic Output

Expected Behavior

terraform plan should have passed

Actual Behavior

terraform plan fails complaining insufficient privileges to complete the operation. The service principal used to run the terraform is member of Application Administrator role under EntraID and have also been given additional graphAPI permissions for Directory

Steps to Reproduce

  1. terraform plan

Important Factoids

References

  • #0000
@nbaju1
Copy link

nbaju1 commented Jun 17, 2024

Specifically which Graph API permissions has been added to the service principal used to run Terraform?

Is this kubernetes_namespace resource related to this? Don't see that in the pasted configuration.

@manicminer manicminer changed the title Authorization_RequestDenied: Insufficient privileges to complete the operation azuread_application: Authorization_RequestDenied: Insufficient privileges to complete the operation Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manicminer @awaisahmedawan @nbaju1