I'm working on a sample application in F# that I want to over engineer the hell out to learn me some new things. The plan is to use pulumi to handle the deployment. What I do want to deploy is the F# application I'm building on a kubernetes cluster that runs istio. The pulumi stuff will also be written in F#. So far I have ported a C# sample that sets up kubernetes that I was pointed to, but for some reason my deploy fails to create the active directory application due to "Insufficient privileges to complete the operation". Complete error

error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-02-08T22:35:51","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"b8e3bf38-925b-4898-9d14-fc101c14e5c4"}}]

Hi Tomas, it looks to me like you need to add permissions to Azure AD Graph API, see: https://discuss.hashicorp.com/t/azure-secrets-engine/2090/5 and https://github.com/Azure-Samples/azure-sdk-for-go-samples/issues/238 and https://github.com/terraform-providers/terraform-provider-azuread/issues/35 Cheers, James

I would check if you have permissions to even create an Azure Application: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#required-permissions Maybe see if you can do it manually in the portal: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal Or via the cli: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest

@colossal-room-15708 I managed to create an app through the portal and using the CLI, so I'm a little bit confused over which credentials that is used when I try to do it through Pulumi, and if they are using the same API as the CLI for creating the app or if the Pulumi command also does something else.

Yes, it’s

az account show

by default unless you override with env variables

@tall-librarian-49374, thanks. Hmm. Any idea of what might causing my Pulumi deploy to fail: https://pulumi-community.slack.com/archives/CRVK66N5U/p1581202394064300 ?

I haven’t seen this before, unfortunately

Is there a way to get the output from pulumi to show which account that is used? I tried verbose level 3 and 5 but that didn’t reveal that kind of information.

Can you show us a code snippet of what you're trying to do? I've not seen this error before.

I created a project only containing the pulumi stuff, and that sort of fixed it. I think the problem was that I was looking at multiple Pulumi templates at once, and one of them configured a service principal that should be used to actually execute pulumi (I guess that is what the

azure:clientId/clientSecret

are for). Moving everything over I removed those settings and it worked. Here is the code if you want a sample using F# to set up a kubernetes cluser on Azure. It's basically a port of the C# sample https://github.com/mastoj/pulumifsharpkubernetesdemo. If you have dotnet core 3.1 installed I think you should be able to clone and run

make deploy

(will use

-y

). Feel free to use the code as an F# sample if you like now when it works, I think.

I’m happy you solved it! Would love to see your code as a PR to our examples repo 😉

Sure, I'll see what I can do @tall-librarian-49374