Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: can't create Application missing API permission #145

Open
1 task done
DrummyFloyd opened this issue Aug 6, 2024 · 1 comment
Open
1 task done

[Bug]: can't create Application missing API permission #145

DrummyFloyd opened this issue Aug 6, 2024 · 1 comment
Labels
bug Something isn't working needs:triage

Comments

@DrummyFloyd
Copy link

DrummyFloyd commented Aug 6, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application

Resource MRs required to reproduce the bug

apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
  name: test-12a3234
spec:
  forProvider:
    displayName: toto-eso
    owners:
      - xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx6e

Steps to Reproduce

create cred with following command like the readme explains

  1. az ad sp create-for-rbac --sdk-auth --role Owner --scopes /subscriptions/$SUB_ID > auth.json
  2. k apply -f mr-app.yaml

What happened?

async create failed: failed to create the resource: [{0 Could not create
      application ApplicationsClient.BaseClient.Post(): unexpected status 403 with
      OData error: Authorization_RequestDenied: Insufficient privileges to complete
      the operation. []}]

i have to manually add these permission to allow App to be created

but i do this with the same TF Provider Version
i got not issue (i use the same login on both side)

terraform {
 required_providers {
   azurerm = {
     source  = "hashicorp/azurerm"
     version = "3.52.0"
   }
   azuread = {
     source  = "hashicorp/azuread"
     version = "2.47.0"
   }
 }
}

provider "azurerm" {
 features {}
}

provider "azuread" {

}

data "azurerm_client_config" "current" {}
resource "azuread_application" "eso-app" {
 display_name = "External Sectret Demo App"
 owners       = [data.azurerm_client_config.current.object_id]
 #logo_image       = filebase64("/path/to/logo.png")
}
output "objectid" {
 value = data.azurerm_client_config.current.object_id
}

slack-discussion

Relevant Error Output Snippet

No response

Crossplane Version

1.16

Provider Version

1.3.0

Kubernetes Version

1.28

Kubernetes Distribution

OVH

Additional Info

No response
@DrummyFloyd DrummyFloyd added bug Something isn't working needs:triage labels Aug 6, 2024
@lennprog
Copy link

lennprog commented Sep 19, 2024
edited
Loading

encountered the same issue for applications. Adding the permissions Application.ReadWrite.All, User.Read.All
(as indicated here https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) for the service principal resolved it. Provider Version 1.4.0 does not provide an error message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DrummyFloyd @lennprog