quickstart-examples icon indicating copy to clipboard operation
quickstart-examples copied to clipboard

Published 20 hours ago verified publisher icon snowplow

azure lake-loader module app_registration gets insufficient privileges error

Open skylinezum opened this issue 2 years ago • 3 comments
trafficstars

I created a new azure account with pay as you go subscription and gave myself all administrator roles as well as the contributor, user access admin, storage blob data contributor for the resource groups created. But I still get this error.

Error: Could not create application

with module.lake_loader[0].azuread_application.app_registration, on .terraform/modules/lake_loader/main.tf line 115, in resource "azuread_application" "app_registration": 115: resource "azuread_application" "app_registration" {

ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

skylinezum avatar Oct 05 '23 17:10 skylinezum

Hey @skylinezum are you certain you have User Access Administrator enabled as per the docs? https://docs.snowplow.io/docs/getting-started-on-snowplow-open-source/quick-start/#prerequisites

This error looks like the required Active Directory permissions are not enabled / not allowed in your environment.

jbeemster avatar Oct 06 '23 08:10 jbeemster

I destroyed and redeployed a few more times just to make sure and checked IAM each time:

Screenshot 2023-10-08 at 12 22 35 AM

It seems correct, I added these roles to the created resource group in the iglu-server deployment step. Anything else that I may have missed?

skylinezum avatar Oct 07 '23 16:10 skylinezum

Hi @skylinezum sorry have been out for the past week. The resource in question that is failing is here: https://github.com/snowplow-devops/terraform-azurerm-lake-loader-vmss/blob/main/main.tf#L117-L121

  • Could you attempt to create just that type of Terraform resource in isolation and turn on Terraform debug logging to see if any more detail can be captured?
  • Creating the resource directly in the Azure Portal can be another route to hopefully validating that everything is setup correctly and capturing more error details?
  • Locally with your Azure CLI are you certain you have selected the correct subscription to deploy into that has these permissions?

We tested these permissions extensively so concerned its failing (and it does look like you have sufficient permissions attached)!

jbeemster avatar Oct 17 '23 09:10 jbeemster

Closing due to inactivity and not being able to reproduce.

jbeemster avatar Jan 03 '25 16:01 jbeemster