Authorization failed when when writing a roleAssignment

Andrew 26 Reputation points
2021-02-24T21:50:28.377+00:00

I'm receiving the following error when trying to create a role assignment using terraform:

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<application_object_id>' with object id '<application_object_id>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription_id>/resourceGroups/network/providers/Microsoft.Network/virtualNetworks/main-vnet/providers/Microsoft.Authorization/roleAssignments/<role_assignment_id>' or the scope is invalid. If access was recently granted, please refresh your credentials."

The application with the <application_object_id> ID is assigned the Contributor role at the Subscription level so I'm not sure what role is missing.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
837 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,421 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,686 Reputation points
    2021-02-25T09:04:33.637+00:00

    Hello @Andrew · Thank you for reaching out.

    Looking at the error, the application is getting 403 (forbidden) for the action 'Microsoft.Authorization/roleAssignments/write'. Since the <application_object_id> ID is assigned with the Contributor role, and contributor role doesn't include permission to assign roles in Azure RBAC. This is documented here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor.

    To resolve the issue, you have 2 options:

    • Assign the Application with Owner role. However, this is not a best practice as security principals should be granted with the least privilege needed to perform a given job.
    • Create a custom role with roleAssignments/write permission and assign this role to the application. I would suggest you to prefer this option over the first one.

    In your case, you can export the Contributor Role and update it to include roleAssignments/write permission. Below are the steps that you can follow for this purpose:

    1. Run Connect-AzAccount cmdlet and sign-in with the subscription owner account. If you don't have Az Module installed, please refer to Install Azure PowerShell.
    2. Run Get-AzRoleDefinition contributor | ConvertTo-Json > c:\temp\rbac.json to export the Contributor role to a JSON file.
    3. Open the JSON file in notepad or any other text editor and remove "Microsoft.Authorization/*/Write", line under NotActions section.
    4. Also update Name, Id, IsCustom, Description and AssignableScopes parameters. Please refer to below sample for your reference: {
      "Name": "Custom Contributor",
      "Id": "1a200ac6-5a49-4198-9403-0af86342bd35",
      "IsCustom": true,
      "Description": "Grants full access to manage all resources, allow you to assign roles in Azure RBAC but not delete roles in Azure RBAC manage assignments in Azure Blueprints, or share image galleries.",
      "Actions": [
      ""
      ],
      "NotActions": [
      "Microsoft.Authorization/
      /Delete",
      "Microsoft.Authorization/elevateAccess/Action",
      "Microsoft.Blueprint/blueprintAssignments/write",
      "Microsoft.Blueprint/blueprintAssignments/delete",
      "Microsoft.Compute/galleries/share/action"
      ],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
      "/subscriptions/TYPE_YOUR_SUBSCRIPTION_ID_HERE"
      ]
      }
    5. Run New-AzRoleDefinition -InputFile "C:\temp\rbac.json" to create Custom RBAC role using the above JSON file.
    6. Run Get-AzRoleDefinition -Name "custom contributor" cmdlet to view the role.

    Note: The new RBAC role might not appear in Azure Portal immediately. To see the new role in Azure Portal immediately, sign out from Azure Portal, close the browser and sign back in.

    Finally, assign the Custom Contributor RBAC role to the Application. You should no longer get the StatusCode=403 error for role assignments and should return StatusCode=201 (Created).

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    10 people found this answer helpful.

5 additional answers

Sort by: Most helpful
  1. Justin O'Connor 16 Reputation points
    2021-09-18T02:57:41.53+00:00

    You can also create this role using Terraform.

    resource "azurerm_role_definition" "role_assignment_contributor" {
        name  = "Role Assignment Owner"
        scope = azurerm_management_group.root.id
        description = "A role designed for writing and deleting role assignments"
    
        permissions {
            actions = [
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Authorization/roleAssignments/delete",
            ]
            not_actions = []
        }
    
        assignable_scopes = [
            azurerm_management_group.root.id
        ]
    }
    
    3 people found this answer helpful.
    0 comments No comments

  2. Nishant Rana 6 Reputation points MVP
    2021-06-24T05:06:02.943+00:00
    1 person found this answer helpful.
    0 comments No comments

  3. Dilip Panwar 1 Reputation point
    2022-11-08T10:04:35.337+00:00

    Here the updated custom role json which works as of 8th Nov 2022
    {
    "properties": {
    "roleName": "custom role name",
    "description": "optional description ",
    "assignableScopes": [
    "/subscriptions/subscription id"
    ],
    "permissions": [
    {
    "actions": [""],
    "NotActions": [
    "Microsoft.Authorization/
    /Delete",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete",
    "Microsoft.Compute/galleries/share/action"
    ],
    "dataActions": [],
    "notDataActions": []
    }
    ]
    }
    }

    0 comments No comments

  4. Omokhoa Agbagbara 95 Reputation points
    2023-10-20T19:03:02.83+00:00

    Hi there.

    For anyone who may come upon this after Oct 2023.

    Yes this works, You will need to assign the new custom role, In

    Subscription -> Access Control (IAM) -> Add -> Add Role Assignment ->Priviledged Administrator roles (Tab).

    To add the members -> Use the "User group or service principal" option. The app may not be listed, but if you start typing the app name, the app pops up.

    Selec the desired app. if the "Review + assign" button is disabled, then you may need to fiddle with the conditions

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.