I suspect we need to add this kind of things to do...
# azuret
tall-librarian-49374
05/09/2020, 7:08 PMI suspect we need to add this kind of things to docs or a blog
m
millions-journalist-34868
05/10/2020, 4:42 PMI think you should indeed. Something like "Example on how to set up your Azure service principal" with the often needed roles and API permissions needed. This is the kind of thing that could be added to Docs/Intro to Pulumi/Cloud Providers/Azure section and reference as well in the Docs/User Guides/Continuous Delivery/Azure DevOps.
In order to make it work properly in my case I had to :
• add the contributor role to the SP on the subscription
• add the user access administrator role to the SP on the subscription
• Add the Application.ReadWrite.OwnedBy permission of Azure Active Directory Graph API to the SP
millions-journalist-34868
05/10/2020, 4:46 PMLast one is a bit strange as Azure Active Directory Graph is deprecated from what I understood (https://developer.microsoft.com/en-us/office/blogs/microsoft-graph-or-azure-ad-graph/) but when using the similar permission from Microsoft Graph API I get an error "graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403" when trying to create the application. Only the permission on the old API seems to work. Could it be that the Azure Provider uses the old API ? Any idea on this @tall-librarian-49374 ?
millions-journalist-34868
05/10/2020, 4:49 PMI guess I found my answer : https://github.com/terraform-providers/terraform-provider-azuread/issues/131
There are some related issues not specific to this but that will solve this as well : https://github.com/terraform-providers/terraform-provider-azuread/issues/193
t
tall-librarian-49374
05/10/2020, 6:00 PMWould you mind opening an issue in https://github.com/pulumi/docs ?
m
millions-journalist-34868
05/10/2020, 7:25 PM3 Views