Error building account after upgrading to 1.38 and above

[bitcloud]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.21

• provider.azurerm v1.34.0
• provider.external v1.2.0
• provider.kubernetes v1.11.1
• provider.random v2.2.1

• azurerm_1.38.0 up to azurerm_2.0.0 are affected

Affected Resource(s)

it happens while bootstrapping azurerm, so no specific resource

Terraform Configuration Files

provider "azurerm" {
  version         = "1.38.0"
  skip_provider_registration  = "true"
}

Debug Output

Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.Detail
edError{Original:(*azure.RequestError)(0xc000809710), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", S
tatusCode:400, Message:"Failure responding to request", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc0008096
80)}

Actual Behavior

As it seems to use the new graph api, it should not use the list and odata filter to look for the service principal, it should use the specific resource query so it doesn't need additional permissions in the service principal to access it.

This is the line where it creates the filter

https://github.com/hashicorp/go-azure-helpers/blob/6e061044db42917eeaecea091acb19e5d917122e/authentication/azure_sp_objectid.go#L36

for the appId base on the API call

https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list

Expected Behavior

it should use this API call

https://docs.microsoft.com/en-us/graph/api/serviceprincipal-get

because it probably requires less permissions.

I based that assumption on that az ad sp show --id http://SP-Name is working when I log in as the service principal but az ad sp list does not.

Steps to Reproduce

You just need to plan with the permissions of a Service Principal with Contributor role.

Important Factoids

The issue seems to exist in the go-azure-helpers and I also created an issue there. (see recerences)

References

hashicorp/go-azure-helpers#49

• #0000

[tombuildsstuff]

👋🏻

Taking a look through here whilst this issue appears in this repository, the root cause of this is the use of the older Azure AD API's, rather than the newer "Microsoft Graph" API's.

Unfortunately at this time there is no Azure SDK for Go which supports the Microsoft Graph API - as such this is something we're currently working to fix, which'll fix both this issue and unblock some larger features in the AzureAD Provider too.

Since the root cause of this is a bug in the hashicorp/go-azure-helpers repository I'm going to close this issue in favour of that one for the moment - but ultimately we're using hashicorp/terraform-provider-azuread#323 to post updates about the Azure AD Graph SDK, once that's live we should be able to take a look into fixing hashicorp/go-azure-helpers#49.

Thanks!

[bitcloud]

I think you mixed it up a bit ;-)

The issue is because of the way the new graph API is currently used in the helper, not the old rest API. It just uses the wrong resource in the graph API. (list instead of getting it directly)

I can understand that you are waiting for a proper implementation of the graph api wrapper, but as this could probably also mean that https://github.com/hashicorp/go-azure-helpers could be obsolete, it would be better to keep this issue here even if it has blocking dependencies.

I think it would be better to leave the issue open until it is really fixed to track if the changes in hashicorp/terraform-provider-azuread#323 and/or hashicorp/go-azure-helpers#49 really fix the issue then.

But its your call in the end ;-)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!