"AuthorizationFailed": Error when trying to add the Authorization for the service principal

[ebrookman]

Check for previous/existing GitHub issues

• [X] I have checked for previous/existing GitHub issues

Issue Type?

Bug

(Optional) Module Version

No response

(Optional) Correlation Id

No response

Description

This is the error that I get when I am trying to add the authorization for the new keyvault that is created. Please let me know what permissions are needed above contributor to the subscription. I've tried creating a custom permission, but to no avail.

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '24bd450f-6acd-4c09-8eba-9a43207e2bdc' with object id '24bd450f-6acd-4c09-8eba-9a43207e2bdc' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/af985f55-f7fc-41d5-a587-66f8601d2060/resourceGroups/rg-epic-shared-mgmt-cus/providers/Microsoft.KeyVault/vaults/kv-chn-epic-shared-cus/providers/Microsoft.Authorization/roleAssignments/ad4af6a9-c864-dc40-218d-90d113f4048d' or the scope is invalid. If access was recently granted, please refresh your credentials."
with module.primary_keyvault.azurerm_role_assignment.this["deployment_user_secrets"]
on .terraform/modules/primary_keyvault/main.tf line 45, in resource "azurerm_role_assignment" "this":
resource "azurerm_role_assignment" "this" {

[matt-FFFFFF]

Hi,

Please see this article that should help:

https://learn.microsoft.com/azure/role-based-access-control/delegate-role-assignments-portal?tabs=template

[ebrookman]

Thanks @matt-FFFFFF. This explained what was needed perfectly. It may be a good idea to add it to the first section of the README.md file also. Thank you for the quick response.