Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
3,581 questions
Error: building account: getting authenticated object ID: listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)(0xc001c22360), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", StatusCode:403, Message:"Failure res
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 79%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENL%3C/text%3E%3C/svg%3E)
Nho Luong
65
Reputation points
Hello,
I have use my terrafrom then create my azure resource for all services but now i have problem
step 1. use global administrator create
az account set --subscription="xxxxxx"
az ad sp create-for-rbac --name “nholuong” --role "Contributor" --scopes "/subscriptions/xxxxx"
Creating 'Contributor' role assignment under scope '/subscriptions/xxxxxx'
step 2.
az logout
az login \
--service-principal \
--tenant xxxxxx \
--username xxxx \
--password xxxxx \
--output table
az account set --subscription="xxxxx"
az account list --output table
=====================================
nholu@nholuongs-MBP uat % terraform init && terraform plan
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/kubernetes from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/azurerm from the dependency lock file
- Reusing previous version of hashicorp/azuread from the dependency lock file
- Reusing previous version of hashicorp/helm from the dependency lock file
- Reusing previous version of hashicorp/template from the dependency lock file
- Using previously-installed hashicorp/helm v2.4.1
- Using previously-installed hashicorp/template v2.2.0
- Using previously-installed hashicorp/kubernetes v2.7.1
- Using previously-installed hashicorp/local v2.1.0
- Using previously-installed hashicorp/random v3.1.0
- Using previously-installed hashicorp/azurerm v2.90.0
- Using previously-installed hashicorp/azuread v2.15.0
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
module.uat.data.template_file.auto_scale_db: Reading...
module.uat.data.template_file.auto_scale_db: Read complete after 0s [id=be407951f3b2bddddc6317fec56610a86fe14293ebe6f69bce88a03a3f1295dd]
╷
│ Error: building account: getting authenticated object ID: listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)(0xc001c3e090), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", StatusCode:403, Message:"Failure responding to request", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc001c3e000)}
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 1, in provider "azurerm":
│ 1: provider "azurerm" {
│
╵
Azure Cost Management
{count} votes
-
Nho Luong 65 Reputation points
2025-06-08T03:39:56.7033333+00:00 FYI
module "key_vault_access_policy_user_admin" { source = "../modules/security/key_vault/key_vault_access_policy" global_tenant_id = data.azurerm_client_config.current.tenant_id key_vault_id = module.key_vault.i object_id = "6c439a5c-b246-4ddf-b03e-513652c8908f" #data.azurerm_client_config.current.object_id key_permissions = [ "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge" ] secret_permissions = [ "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge" ] certificate_permissions = [ "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "ManageContacts", "ManageIssuers", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers", "Purge" ] depends_on = [module.key_vault] } -
Nho Luong 65 Reputation points
2025-06-08T08:12:24.1966667+00:00 Hello Everybody,
Please advise help me this case?
hu hu hic hic -
Nho Luong 65 Reputation points
2025-06-10T01:49:59.3233333+00:00 I have upgrade my azurerm then i can create my azure
required_providers { azurerm = { source = "hashicorp/azurerm" # version = "=2.90.0" version = "~> 3.108.0"==========
but now i have error with# Install helm package for application gateway resource "helm_release" "agic" { name = "agic" repository = "https://appgwingress.blob.core.windows.net/ingress-azure-helm-package" chart = "ingress-azure" namespace = kubernetes_namespace.agic_ns.metadata[0].name # todo: pass proper name from aks module version = var.helm_agic_version timeout = 600NOT FOUND
repository = "https://appgwingress.blob.core.windows.net/ingress-azure-helm-package"=>>>>>>>>
le.uat.module.key_vault_access_policy_user_admin.azurerm_key_vault_access_policy.key_vault_access_policy: Creating...
module.uat.module.appgw.helm_release.agic: Creating...
╷
│ Error: looks like "https://appgwingress.blob.core.windows.net/ingress-azure-helm-package" is not a valid chart repository or cannot be reached: failed to fetch https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/index.yaml : 409 Public access is not permitted on this storage account.
│
│ with module.uat.module.appgw.helm_release.agic,
│ on modules/container/appgw/main.tf line 291, in resource "helm_release" "agic":
│ 291: resource "helm_release" "agic" {
│
╵
╷
│ Error: A resource with the ID "/subscriptions/4e2c020a-0252-4eb8-b510-1f78b38677b0/resourceGroups/iAEONUatEnv/providers/Microsoft.KeyVault/vaults/iaeon-kv-uatkeyvaults/objectId/9adafb5e-c17e-4601-9306-7c24404c7bde/applicationId/9adafb5e-c17e-4601-9306-7c24404c7bde" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│
│ with module.uat.module.key_vault_access_policy_user_admin.azurerm_key_vault_access_policy.key_vault_access_policy,
│ on modules/security/key_vault/key_vault_access_policy/main.tf line 1, in resource "azurerm_key_vault_access_policy" "key_vault_access_policy":
│ 1: resource "azurerm_key_vault_access_policy" "key_vault_access_policy" {
│
╵
╷
│ Error: A resource with the ID "/subscriptions/4e2c020a-0252-4eb8-b510-1f78b38677b0/resourceGroups/iAEONUatEnv/providers/Microsoft.KeyVault/vaults/iaeon-kv-uatkeyvaults/objectId/9adafb5e-c17e-4601-9306-7c24404c7bde/applicationId/9adafb5e-c17e-4601-9306-7c24404c7bde" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│
│ with module.uat.module.key_vault_access_policy_agic_runtime.azurerm_key_vault_access_policy.key_vault_access_policy,
│ on modules/security/key_vault/key_vault_access_policy/main.tf line 1, in resource "azurerm_key_vault_access_policy" "key_vault_access_policy":
│ 1: resource "azurerm_key_vault_access_policy" "key_vault_access_policy" {
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator2025-06-10T20:40:56.4066667+00:00 Hi Nho Luong
This error indicates that the service principal does not have the necessary permissions to list service principals. Ensure it has the appropriate role and permissions in Azure Active Directory (AAD). Verify the role assignments and ensure the service principal is assigned the "Contributor" role at the subscription level.
The error suggests that public access is not permitted on the storage account hosting the Helm charts. Configure the storage account to allow public access or use a different repository that is accessible.
This error indicates that a resource already exists and suggests that you are trying to create a Key Vault access policy already present in your Azure environment. To manage this resource with Terraform, import it into your Terraform state using the terraform import command, specifying the resource ID.
Verify that you have initialized Terraform correctly and that all required providers are up to date. Run the command terraform init whenever you change your provider configurations.
Kindly let us know if the above helps or you need further assistance on this issue.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Nho Luong 65 Reputation points
2025-06-11T05:22:03.24+00:00 Hello @Pranay Reddy Madireddy
Thank you for help
As i mentions above then current for my user á: Global Administrator
Now i have again and again with not found then i have change to github and oci but still not found
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
-
Vinay B 500 Reputation points Microsoft External Staff Moderator
2025-06-13T08:39:31.97+00:00 Hello Nho Luong,
Even if you are a Global Administrator, the app or service principal used by Terraform still requires its own delegated or application permissions.
So make sure you're using a service principal (app registration) for Terraform, ensure it has "Directory.Read.All" permission granted.
Go to Azure Portal > App registrations > Your SP > API permissions.
- Add permission for:
- Microsoft Graph > Application >
Directory.Read.All
- Microsoft Graph > Application >
- Click "Grant admin consent" after adding.
- Retry your Terraform deployment.
If your Terraform modules use AzureAD or GraphRBAC, consider migrating to Microsoft Graph support in AzureAD provider and updating Terraform resources accordingly.
Refer: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/microsoft-graph
The issue you mentioned
failed to fetch https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/index.yaml : 409 Public access is not permitted on this storage account
Is occurred due to disabled public anonymous access to the
ingress-azureHelm repo at that Blob URL That URL no longer works directly withhelm_release.Instead of this try official Microsoft Helm repo on Azure Container Registry instead so that.
Another issue a resource with the ID ... already exists - to be managed via Terraform this resource needs to be imported into the State.
For this to import the existing resource in portal to terraform state file
terraform import module.uat.module.key_vault_access_policy_user_admin.azurerm_key_vault_access_policy.key_vault_access_policy "/subscriptions/4e2c020a-0252-4eb8-b510-1f78b38677b0/resourceGroups/iAEONUatEnv/providers/Microsoft.KeyVault/vaults/iaeon-kv-uatkeyvaults/objectId/9adafb5e-c17e-4601-9306-7c24404c7bde/applicationId/9adafb5e-c17e-4601-9306-7c24404c7bdeDo the same for
key_vault_access_policy_agic_runtime.Once imported, run
terraform planagain
Please let us know if it was helpful, please upvote if it helps you anyway to reach to address the issue and feel free to reach out if you have any further queries.
- Add permission for:
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator2025-06-16T07:27:13.4866667+00:00 Hello Nho Luong,
Just want to check if the above response provided by @Vinay B worked for you or else please let us know if any help, we are always here to help whenever you need us.
Please do not forget to “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
-
Nho Luong 65 Reputation points
2025-06-17T09:42:54.66+00:00 Hello @Pranay Reddy Madireddy
Alway error with this.
│ Error: looks like "https://mcr.microsoft.com/helm" is not a valid chart repository or cannot be reached: failed to fetch https://mcr.microsoft.com/helm/index.yaml : 404 Not Found
│
│ with module.uat.module.appgw.helm_release.agic,
│ on modules/container/appgw/main.tf line 291, in resource "helm_release" "agic":
│ 291: resource "helm_release" "agic" {
======
# Install helm package for application gateway resource "helm_release" "agic" { name = "agic" repository = "https://azure.github.io/application-gateway-kubernetes-ingress" chart = "ingress-azure" namespace = kubernetes_namespace.agic_ns.metadata[0].name # todo: pass proper name from aks module version = "1.7.1" timeout = 600 -
Nho Luong 65 Reputation points
2025-06-17T09:44:55.6366667+00:00 Alway error both
resource "helm_release" "agic" {
name = "agic"
repository = "https://mcr.microsoft.com/helm"
chart = "application-gateway-kubernetes-ingress"
version = "1.5.2" # or the latest supported version
...
}
resource "helm_release" "agic" {
name = "agic"
repository = "https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/"
chart = "ingress-azure"
version = "1.7.1" # or latest supported version
namespace = "agic"
resource "helm_release" "agic" {
name = "agic"
repository = "https://azure.github.io/application-gateway-kubernetes-ingress"
chart = "ingress-azure"
version = "1.7.1" # Or latest version available
namespace = "agic"
resource "helm_release" "agic" {
name = "agic"
repository = "https://azure.github.io/application-gateway-kubernetes-ingress"
chart = "ingress-azure"
namespace = kubernetes_namespace.agic_ns.metadata[0].name
version = "1.7.1"
timeout = 600
-
Nho Luong 65 Reputation points
2025-06-17T09:45:52.8+00:00 Alway error both
resource "helm_release" "agic" {
name = "agic"
repository = "https://mcr.microsoft.com/helm"
chart = "application-gateway-kubernetes-ingress"
version = "1.5.2" # or the latest supported version
...
}
resource "helm_release" "agic" {
name = "agic"
repository = "https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/"
chart = "ingress-azure"
version = "1.7.1" # or latest supported version
namespace = "agic"
resource "helm_release" "agic" {
name = "agic"
repository = "https://azure.github.io/application-gateway-kubernetes-ingress"
chart = "ingress-azure"
version = "1.7.1" # Or latest version available
namespace = "agic"
resource "helm_release" "agic" {
name = "agic"
repository = "https://azure.github.io/application-gateway-kubernetes-ingress"
chart = "ingress-azure"
namespace = kubernetes_namespace.agic_ns.metadata[0].name
version = "1.7.1"
timeout = 600
-
-
Vinay B 500 Reputation points Microsoft External Staff Moderator
2025-06-18T11:17:49.7966667+00:00 Hi Nho Luong,
We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Sign in to comment
Sign in to answer