I have created a Service Principal with the following access:

• Contributor role on subscription
• Global administrator role on AAD tenant
• Consented Microsoft Graph API permissions:
  • Group.Read.All
  • User.Read.All

While authenticated with this SP, I am trying to assign Azure service roles to AAD groups. For example:

resource "azurerm_role_assignment" "storage_account_admin" {
  scope                = azurerm_storage_account.my_storage.id
  role_definition_name = "Storage Blob Data Owner"
  principal_id         = data.azuread_group.my_group.object_id
}

When trying to apply this, Terraform throws an authorisation error from Azure:

The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/...' or the scope is invalid. If access was recently granted, please refresh your credentials.

I am able to create this resource with my user Azure account, which has the Owner role. Do I need to elevate my Service Principal to Owner -- that seems a bit dangerous -- or is there a more specific way of resolving this?

CodePudding user response：

The reason you are getting this error is because the Contributor role does not include authorization related permissions like role assignments.

To fix this error, either assign Owner role to your Service Principal or add User Access Administrator role to the Service Principal.