graphrbac tests fail with 403 "Insufficient privileges to complete the operation"

[jbw976]

Thank you for your contribution and feedback! Help us review faster by providing the following information:

This issue is a: (mark with an x)

• [x] bug report
• [ ] request for new sample
• [ ] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Steps to reproduce:

Run graphrbac tests by following https://github.com/Azure-Samples/azure-sdk-for-go-samples#to-run-tests:

set up authentication (see following)
dep ensure
go test -v ./graphrbac/

Auth was set up with:

> az ad sp create-for-rbac -n "test-app-202"
Retrying role assignment creation: 1/36
{
  "appId": "c8a83006-1848-43bc-b3ec-c73bb71c97f7",
  "displayName": "test-app-202",
  "name": "http://test-app-202",
  "password": "<omitted>",
  "tenant": "<omitted>"
}

Environment variables set with:

export AZURE_SUBSCRIPTION_ID=<omitted>
export AZURE_TENANT_ID=<omitted>
export AZURE_CLIENT_ID=c8a83006-1848-43bc-b3ec-c73bb71c97f7
export AZURE_CLIENT_SECRET=<omitted>
export AZURE_LOCATION_DEFAULT=westus2
export AZURE_BASE_GROUP_NAME=azure-samples-go
export AZURE_KEEP_SAMPLE_RESOURCES=0

Errors and log messages:

> go test -v ./graphrbac/
=== RUN   ExampleCreateServicePrincipal
2018/11/26 00:08:19 graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}]
2018/11/26 00:08:19 ad app created
--- FAIL: ExampleCreateServicePrincipal (0.60s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x1494afa]

Expected behavior:

The graphrbac tests to run and succeed.

OS and Go versions:

go version go1.10 darwin/amd64 macOS Mojave Version 10.14.1

Further info:

Note that due to #237, I got the tests running by renaming the internal dir to helpers, then fixing all the import paths.

The test-app-202 app is shown with the Contributor role in the Azure portal under Subscriptions -> Access Control (IAM).

Is this an issue with the sample repo's usage of the SDK? How can I troubleshoot further?

[jbw976]

[jbw976]

The tests fail with the same 403 Insufficient privileges to complete the operation error even when using the credentials of my global admin account. The global admin doesn't have sufficient privileges to create an AD app?

[jbw976]

I've created a new test account that has the Owner role, and validated that the test account and the global admin account have sufficient privileges to create an AD app according to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#required-permissions. Using the same global admin account, I can create an app using other means such as az ad app create or the Azure Portal UI, so it doesn't seem to be the account itself. Something isn't being configured or setup correctly for/in the unit tests.

[jbw976]

I was able to get the graphrbac tests working to create an AD app successfully with the steps below, so I will close this issue. Not sure if that's the most streamlined approach, but it did work. Could these same permissions be added to the service principal all from the Azure CLI?

Create a service principal that will be used during the tests and has the Owner role:

az ad sp create-for-rbac --sdk-auth --role Owner

Then use the Azure Portal UI to add all the AD permissions to the service principal: Azure Active Directory -> App registrations -> "View all applications" button -> azure-cli- -> Settings -> Required Permissions -> Add -> Windows Azure Active Directory -> Select -> check all boxes -> Select -> Done -> Grant Permissions.

Screenshot included for easier reference.