Closed jbw976 closed 5 years ago
The tests fail with the same 403 Insufficient privileges to complete the operation
error even when using the credentials of my global admin account. The global admin doesn't have sufficient privileges to create an AD app?
I've created a new test account that has the Owner
role, and validated that the test account and the global admin account have sufficient privileges to create an AD app according to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#required-permissions. Using the same global admin account, I can create an app using other means such as az ad app create
or the Azure Portal UI, so it doesn't seem to be the account itself. Something isn't being configured or setup correctly for/in the unit tests.
I was able to get the graphrbac tests working to create an AD app successfully with the steps below, so I will close this issue. Not sure if that's the most streamlined approach, but it did work. Could these same permissions be added to the service principal all from the Azure CLI?
Create a service principal that will be used during the tests and has the Owner role:
az ad sp create-for-rbac --sdk-auth --role Owner
Then use the Azure Portal UI to add all the AD permissions to the service principal:
Azure Active Directory -> App registrations -> "View all applications" button -> azure-cli-
Screenshot included for easier reference.
Thank you for your contribution and feedback! Help us review faster by providing the following information:
This issue is a: (mark with an
x
)Steps to reproduce:
Run graphrbac tests by following https://github.com/Azure-Samples/azure-sdk-for-go-samples#to-run-tests:
Auth was set up with:
Environment variables set with:
Errors and log messages:
Expected behavior:
The graphrbac tests to run and succeed.
OS and Go versions:
go version go1.10 darwin/amd64 macOS Mojave Version 10.14.1
Further info:
Note that due to #237, I got the tests running by renaming the
internal
dir tohelpers
, then fixing all the import paths.The
test-app-202
app is shown with theContributor
role in the Azure portal under Subscriptions -> Access Control (IAM).Is this an issue with the sample repo's usage of the SDK? How can I troubleshoot further?