https://pulumi.com logo
Title
a

able-beard-29160

06/03/2020, 9:26 PM
This is not strictly related to Pulumi (I think), but maybe someone can point me in the right direction. I'm trying to create a service principal (as part of a CI/CD pipeline) and this is run using a non-owner service principal (it has the Contributor and User Access Administrator roles assigned), but I'm getting a permission error. Any ideas?
azuread:index:Application (aks-app):
error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-06-03T11:41:37","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"97f0f1cd-7a27-4838-b226-534ce6003e08"}}]
a

ancient-megabyte-79588

06/04/2020, 2:36 AM
You need the Application Administrator role on the non-owner service principal that is doing the CI/CD.
a

able-beard-29160

06/04/2020, 8:20 AM
Thanks a lot. Unfortunately, this is getting confusing, so I'll have to do more reading. It seems that role isn't available for Applications, but only for Users. I'll have to clear up my confusion around this Service Principal concept before asking further questions.
a

ancient-megabyte-79588

06/04/2020, 2:09 PM
I haven't tried to make any adjustments to a Service Principal as I am not doing CI/CD yet. You can give an application (service princpal) the permissions it needs.
It is a bit confusing, but a service principal is an Application Registration in AAD and they can be given permissions similar to a user.
a

able-beard-29160

06/04/2020, 10:56 PM
Thanks, Dave. I've managed to get it working by adding permissions in that API permissions blade.
🎉 1
BTW, I've just finished reading your blog series on your Kubernetes journey. That was quite informative and useful. Looking forward to other posts 👏🏻
👍 1