Thursday 13 July 2023

Fix Terraform Azure AD App Registration (SPN) Read Permssions Running with Azure DevOps Pipelines

 Azure DevOps use service principals (SPN or Azure AD app registration) to make a service connection to Azure to be able to run Terraform or other IaC based resource deployments targeting Azure. You may run into issue while trying to read another Azure AD app registration information, within terraform. For example consider below code segment.

# aks kv app
data "azuread_application" "akskv" {
  display_name = "${var.PREFIX}-${var.PROJECT}-aks-kv-app"
}

data "azuread_service_principal" "akskv" {
  application_id = data.azuread_application.akskv.application_id
}

You may encounter the issue shown below.

##[error]Terraform command 'plan' failed with exit code '1'.##[error]╷ Error: Listing applications for filter "displayName eq 'ch-demo-aks-kv-app'"

with data.azuread_application.akskv, on rbac.tf line 8, in data "azuread_application" "akskv": data "azuread_application" "akskv"

ApplicationsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.


This is due to the service connection SPN is not having permissions to read app registrations in AD. As you can see the SPN is only allowed with AD group read.


We need to add Application.ReadAll permissions to the SPN which is executing the terraform, so that it is able to read other SPNs (Azure AD apps).

Once permissions added we need to grant concent.

With below permissions set in the SPN the Terraform code shown above in the post can execute in Azure DevOps pipline without any issues.


No comments:

Popular Posts