search

crossplane-contrib / provider-upjet-azuread

AzureAD Provider for Crossplane.
https://marketplace.upbound.io/providers/upbound/provider-azuread/
Apache License 2.0
6 stars 19 forks source link

[Bug]: can't create Application missing API permission #145

Open DrummyFloyd opened 3 months ago

DrummyFloyd commented 3 months ago

Is there an existing issue for this?

Affected Resource(s)

apiVersion: applications.azuread.upbound.io/v1beta1 kind: Application

Resource MRs required to reproduce the bug

apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
  name: test-12a3234
spec:
  forProvider:
    displayName: toto-eso
    owners:
      - xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx6e

Steps to Reproduce

create cred with following command like the readme explains

  1. az ad sp create-for-rbac --sdk-auth --role Owner --scopes /subscriptions/$SUB_ID > auth.json
  2. k apply -f mr-app.yaml

What happened?

async create failed: failed to create the resource: [{0 Could not create
      application ApplicationsClient.BaseClient.Post(): unexpected status 403 with
      OData error: Authorization_RequestDenied: Insufficient privileges to complete
      the operation. []}]

i have to manually add these permission to allow App to be created

terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.52.0" } azuread = { source = "hashicorp/azuread" version = "2.47.0" } } }

provider "azurerm" { features {} }

provider "azuread" {

}

data "azurerm_client_config" "current" {} resource "azuread_application" "eso-app" { display_name = "External Sectret Demo App" owners = [data.azurerm_client_config.current.object_id]

logo_image = filebase64("/path/to/logo.png")

} output "objectid" { value = data.azurerm_client_config.current.object_id }



 [slack-discussion](https://crossplane.slack.com/archives/C05E4LDNNG5/p1722693386469949)

### Relevant Error Output Snippet

_No response_

### Crossplane Version

1.16

### Provider Version

1.3.0

### Kubernetes Version

1.28

### Kubernetes Distribution

OVH

### Additional Info

_No response_
lennprog commented 1 month ago

encountered the same issue for applications. Adding the permissions Application.ReadWrite.All, User.Read.All (as indicated here https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) for the service principal resolved it. Provider Version 1.4.0 does not provide an error message.