I have been trying to deploy networks with peering to a hub in another tenant using the AzApi provider. I need to do so since I generate a dynamic number of subscriptions, making me unable to use the AzureRm provider as they require a fixed subscription.
Now I have run into the issue where I connect with an app registration and a client secret and the cross tenant deployment is simply not working even after using the auxiliary_tenant_ids parameter. Using the same setting in the AzureRm provider as well as running the equivalent command in the Az CLI made the peering work.
The error received when running the AzApi is always a LinkedAuthorizationFailed error. With the more detailed error message being however the current tenant '***' is not authorized to access linked subscription '***'
I also tried Azure CLI authentication and the auxiliary_tenant_ids parameter still did not work. I also looked at the source code of the AzApi and manually set the Environment Variable AZURE_ADDITIONALLY_ALLOWED_TENANTS to * but that also did not work. I can not confirm whether it worked with other authentication methods because those were not available to me (MSI & OIDC), but at least I feel confident to say that the deployment across tenants did not work even when specifying the field.
The Azapi Resource Call that did not work. The azapi_resource.vnet_spoke is a deployment of multiple networks.
I have been trying to deploy networks with peering to a hub in another tenant using the AzApi provider. I need to do so since I generate a dynamic number of subscriptions, making me unable to use the AzureRm provider as they require a fixed subscription.
Now I have run into the issue where I connect with an app registration and a client secret and the cross tenant deployment is simply not working even after using the
auxiliary_tenant_ids
parameter. Using the same setting in the AzureRm provider as well as running the equivalent command in the Az CLI made the peering work.The error received when running the AzApi is always a
LinkedAuthorizationFailed
error. With the more detailed error message beinghowever the current tenant '***' is not authorized to access linked subscription '***'
I also tried Azure CLI authentication and the
auxiliary_tenant_ids
parameter still did not work. I also looked at the source code of the AzApi and manually set the Environment VariableAZURE_ADDITIONALLY_ALLOWED_TENANTS
to*
but that also did not work. I can not confirm whether it worked with other authentication methods because those were not available to me (MSI & OIDC), but at least I feel confident to say that the deployment across tenants did not work even when specifying the field.The Azapi Resource Call that did not work. The
azapi_resource.vnet_spoke
is a deployment of multiple networks.The AzureRm Resource call that did work in the cross tenant scenario is
I hope you can look into this issue and hopefully resolve it.
Best wishes Niko