hashicorp
Cannot assign groups to application via service principal
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.48.0
+ provider registry.terraform.io/jfrog/artifactory v10.7.4
+ provider registry.terraform.io/jfrog/platform v1.7.2
+ provider registry.terraform.io/jfrog/project v1.5.2
Affected Resource(s)
azuread_app_role_assignmentazuread_service_principalazuread_application
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "azuread_application" "jfrog" {
display_name = "Artifactory SAML SSO + SCIM"
}
resource "azuread_service_principal" "jfrog" {
client_id = azuread_application.jfrog.client_id
}
locals {
scim_groups = [
data.terraform_remote_state.az.outputs.azuread_group_devops,
]
}
resource "azuread_app_role_assignment" "jfrog" {
for_each = toset(local.scim_groups[*].object_id)
app_role_id = "18d14569-c3bd-439b-9a66-3a2aee01d14f"
principal_object_id = each.key
resource_object_id = azuread_service_principal.jfrog.object_id
}
Debug Output
https://gist.github.com/zemirco/07a36d90f68ac65f4ebcbfa420f8a94f
Panic Output
Expected Behavior
I'm able to add / remove groups to my Enterprise Application (so that the group members are able to login via SAML SSO) via my CI/CD pipeline using GitHub Actions by authenticating as a service principal.
This is how it should look like in the end.
The app registration has the Application.ReadWrite.OwnedBy permission.
The service principal uses OIDC to connect to our Azure AD.
Actual Behavior
It all works locally when I run the command as a user.
It does not work when the command runs inside our CI/CD pipeline which is GitHub Actions. Here we're getting the following error.
azuread_app_role_assignment.jfrog["3ef3cd62-73c6-402f-9951-18da865b3776"]: Destroying... [id=ed84d346-a092-46d6-aae2-b04b1da85370/appRoleAssignment/Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA]
╷
│ Error: Deleting app role assignment for resource "ed84d346-a0[9](***/actions/runs/9064212294/job/24920697658?pr=135#step:6:10)2-46d6-aae2-b04b1da85370" with ID "Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA", got status 403
│
│ AppRoleAssignedToClient.BaseClient.Delete(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.
Steps to Reproduce
terraform apply
References
- Resource: azuread_app_role_assignment - API Permissions
- Microsoft Graph permissions reference - Application.ReadWrite.OwnedBy
Hi @zemirco, thanks for reporting this issue. I couldn't say why the DELETE request is being sent without seeing a copy of the plan for this apply, however you will need to assign the AppRoleAssignment.ReadWrite.All app role to your Terraform service principal in order to manage app role assignments. Unfortunately Application.ReadWrite.xyz is not sufficient - as this is a privileged API that technically permits you to add any API permission for any application.
It finally works. Here is how we did it 🥳
The permission Application.ReadWrite.OwnedBy is enough but the owner has to be set at the App Registration as well as the Enterprise Application.
Wow :) I'm so glad this finally works as we've spent so many hours on this topic.
Thank you for maintaining the azuread provider.
Ah that's great, thanks for reporting back! This is easily missed and I'll see if we can call this out more clearly in the docs.
