25,130 questions
It would help if you gave the necessary RBAC to your App Registration on your subscription, for example usually I give the Role Contributor to the app registration that uses Terraform.
Hope this helps!
While building infrastructure in Azure with Terraform, Terraform is unable to register Azure resource providers due to permission-related errors.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 24%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
英利 前川
0
Reputation points
Background
We are working with Terraform to build infrastructure in Azure.
We have a new Azure account (created from an existing Microsoft account:hide1227**),
We obtained a subscription (2d4be890-e129-47e5-92cf-****) and tenant ID (4e8a1fd9-f8cc-41be-8054-**) and registered a new application (ExampleApp01) The Terraform code was created in Azraform.
The Terraform code has been placed in Azure Repo (ExampleApp01) and Git management has started, but we have not yet configured up to Azure Pipeline.
We have already created a dedicated Workspace in Terraform Cloud (ProjectExample01) and have Terraform CLI installed locally.
In the main.tf file in Terraform, there is a configuration point for a prover for Azure, so I configured it as follows.
provider "azurerm" {
features {}
subscription_id = "2d4be890-e129-47e5-92cf-********"
client_id = "02d3bb90-1047-4188-a5e0*********"
client_secret = "r****"
tenant_id = "4e8a1fd9-f8cc-41be-8054-********"
}
Now, I understand that all the configuration information is ready, but when I actually run the Terraform plan, the following error occurs.
error:When "Application ID" of "ExampleApp01" is specified in client_id
Original Error: populating Resource Provider cache: listing Resource Providers: loading results: unexpected status 403 with error: AuthorizationFailed: The client '74111c25-2fa3-4991-9899-d13c967ca074' with object id '74111c25-2fa3-4991-9899-d13c967ca074' does not have authorization to perform action 'Microsoft.Resources/subscriptions/providers/read' over scope '/subscriptions/2d4be890-e129-47e5-92cf-5667ab3d3f3b' or the scope is invalid. If access was recently granted, please refresh your credentials.
When "object ID" of "ExampleApp01" is specified in error:client_id
Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 400 with response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '74111c25-2fa3-4991-9899-d13c967ca074' was
not found in the directory 'Default Directory'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 000d629a-c33e-4d97-b896-eb8cb2d51b00\r\nCorrelation ID: a71be959-b350-4827-b01d-e448d930ba93\r\nTimestamp: 2023-10-17 01:18:05Z","error_codes":[700016],"timestamp":"2023-10-17 01:18:05Z","trace_id":"000d629a-c33e-4d97-b896-eb8cb2d51b00","correlation_id":"a71be959-b350-4827-b01d-e448d930ba93","error_uri":"https://login.microsoftonline.com/error?code=700016"}
Could you please give us a solution?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
1 answer
Sort by: Most helpful
-
Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator2023-10-17T16:15:43.4033333+00:00