search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

azuread_group_role_management_policy throws 403 permission scope not granted error #1407

Open cveld opened 3 weeks ago

cveld commented 3 weeks ago

Community Note

Terraform (and AzureAD Provider) Version

Affected Resource(s)

Terraform Configuration Files


resource "azuread_group_role_management_policy" "example" {
  group_id = data.azuread_group.example.id
  role_id  = "member"
}

# created by SpokeBaseline/eu-dev
data "azuread_group" "example" {
  display_name = "sg-somegroup"
}

Debug Output

Panic Output

Expected Behavior

The azuread provider should run fine without a permission error.

Actual Behavior

β•·
β”‚ Error: Could not parse policy assignment ID, Could not list existing policy assignments, RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
β”‚
β”‚   with azuread_group_role_management_policy.example,
β”‚   on main.tf line 2, in resource "azuread_group_role_management_policy" "example":
β”‚    2: resource "azuread_group_role_management_policy" "example" {
β”‚
β”‚ Could not parse policy assignment ID, Could not list existing policy assignments,
β”‚ RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError:
β”‚ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope
β”‚ RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
β•΅

Steps to Reproduce

  1. Running as user
  2. User has global administrator role in Entra
  3. terraform apply

Important Factoids

References

Maybe the following azure cli issues are helpful:

manicminer commented 3 weeks ago

Hi @cveld, thanks for reporting this. As you have suggested, this does seem to be an issue with the delegated permissions obtained by Azure CLI. At this time there is little we can do about it, except suggest, as it has been in the linked issue, that you use application credentials to authenticate instead of a user account (and furthermore, our recommendation would be to use the provider's native support rather than using Azure CLI). I recognise this may be undesirable or infeasible due to organizational policies or other concerns, however we are unfortunately blocked on Azure CLI at this time.

cveld commented 3 weeks ago

@manicminer if user identity is not supported as this moment, can you can add that to the docs? the current version gave the impression to me that it should work:

When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.

manicminer commented 3 weeks ago

Yes, I'm hoping soon to audit the documented scopes for all resources and update accordingly.

cveld commented 3 weeks ago

Maybe azuread could implement its own user auth and provide a customizable client id πŸ˜… well I am more a fan of delegating access tokens to az cli. But never hit into the limitation of the client id permissions before. That surprised me.