Authorization failed when when writing a roleAssignment

Question

I'm receiving the following error when trying to create a role assignment using terraform:

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<application_object_id>' with object id '<application_object_id>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription_id>/resourceGroups/network/providers/Microsoft.Network/virtualNetworks/main-vnet/providers/Microsoft.Authorization/roleAssignments/<role_assignment_id>' or the scope is invalid. If access was recently granted, please refresh your credentials."

The application with the <application_object_id> ID is assigned the Contributor role at the Subscription level so I'm not sure what role is missing.

Answer 1

Hello @Andrew · Thank you for reaching out.

Looking at the error, the application is getting 403 (forbidden) for the action 'Microsoft.Authorization/roleAssignments/write'. Since the <application_object_id> ID is assigned with the Contributor role, and contributor role doesn't include permission to assign roles in Azure RBAC. This is documented here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor.

To resolve the issue, you have 2 options:

• Assign the Application with Owner role. However, this is not a best practice as security principals should be granted with the least privilege needed to perform a given job.
• Create a custom role with roleAssignments/write permission and assign this role to the application. I would suggest you to prefer this option over the first one.

In your case, you can export the Contributor Role and update it to include roleAssignments/write permission. Below are the steps that you can follow for this purpose:

1. Run Connect-AzAccount cmdlet and sign-in with the subscription owner account. If you don't have Az Module installed, please refer to Install Azure PowerShell.
2. Run Get-AzRoleDefinition contributor | ConvertTo-Json > c:\temp\rbac.json to export the Contributor role to a JSON file.
3. Open the JSON file in notepad or any other text editor and remove "Microsoft.Authorization/*/Write", line under NotActions section.
4. Also update Name, Id, IsCustom, Description and AssignableScopes parameters. Please refer to below sample for your reference: {
   "Name": "Custom Contributor",
   "Id": "1a200ac6-5a49-4198-9403-0af86342bd35",
   "IsCustom": true,
   "Description": "Grants full access to manage all resources, allow you to assign roles in Azure RBAC but not delete roles in Azure RBAC manage assignments in Azure Blueprints, or share image galleries.",
   "Actions": [
   ""
   ],
   "NotActions": [
   "Microsoft.Authorization//Delete",
   "Microsoft.Authorization/elevateAccess/Action",
   "Microsoft.Blueprint/blueprintAssignments/write",
   "Microsoft.Blueprint/blueprintAssignments/delete",
   "Microsoft.Compute/galleries/share/action"
   ],
   "DataActions": [],
   "NotDataActions": [],
   "AssignableScopes": [
   "/subscriptions/TYPE_YOUR_SUBSCRIPTION_ID_HERE"
   ]
   }
5. Run New-AzRoleDefinition -InputFile "C:\temp\rbac.json" to create Custom RBAC role using the above JSON file.
6. Run Get-AzRoleDefinition -Name "custom contributor" cmdlet to view the role.

Note: The new RBAC role might not appear in Azure Portal immediately. To see the new role in Azure Portal immediately, sign out from Azure Portal, close the browser and sign back in.

Finally, assign the Custom Contributor RBAC role to the Application. You should no longer get the StatusCode=403 error for role assignments and should return StatusCode=201 (Created).

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

You can also create this role using Terraform.

resource "azurerm_role_definition" "role_assignment_contributor" {
    name  = "Role Assignment Owner"
    scope = azurerm_management_group.root.id
    description = "A role designed for writing and deleting role assignments"

    permissions {
        actions = [
            "Microsoft.Authorization/roleAssignments/write",
            "Microsoft.Authorization/roleAssignments/delete",
        ]
        not_actions = []
    }

    assignable_scopes = [
        azurerm_management_group.root.id
    ]
}

Answer 3

We got the same error while configuring Azure Synapse Link Service in Power Platform - https://nishantrana.me/2021/06/24/fixed-authorizationfailed-the-client-with-object-id-does-not-have-authorization-to-perform-action-microsoft-authorization-roleassignments-write-over-scope-storageaccou/

Answer 4

Here the updated custom role json which works as of 8th Nov 2022
{
"properties": {
"roleName": "custom role name",
"description": "optional description ",
"assignableScopes": [
"/subscriptions/subscription id"
],
"permissions": [
{
"actions": [""],
"NotActions": [
"Microsoft.Authorization//Delete",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}

Answer 5

Hi there.

For anyone who may come upon this after Oct 2023.

Yes this works, You will need to assign the new custom role, In

Subscription -> Access Control (IAM) -> Add -> Add Role Assignment ->Priviledged Administrator roles (Tab).

To add the members -> Use the "User group or service principal" option. The app may not be listed, but if you start typing the app name, the app pops up.

Selec the desired app. if the "Review + assign" button is disabled, then you may need to fiddle with the conditions