https://pulumi.com logo
Title
s

swift-hamburger-98290

12/22/2020, 4:45 PM
I am running into an
insufficient privileges
issue on Azure when trying to create/change an Azure Active Directory Application, deploying using pulumi's DevOps task. I have the following:
task: Pulumi@1
inputs:
  azureSubscription: <azure-resource-manager>
  ... 
env:
  PULUMI_ACCESS_TOKEN: $(pulumi.access.token)
And on AAD I added the following
API permissions
, with type Application (not Delegated):
Application.Read.All
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Directory.ReadWrite.All
Error:
* updating urn:pulumi:test::<>::azuread:index/application:Application::<>: patching Application with ID "<id>": graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-12-22T15:28:11","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<>"}}]
What I am missing?
s

swift-hamburger-98290

12/22/2020, 4:53 PM
Hmm I don't think so. I can do
pulumi up
just fine locally, and everything works. The problem is when I run it on the pipeline (Azure DevOps) with a service connection (azure resource manager), to which I gave the permissions I wrote on the original post.
I had to set the permissions under
Azure Active Directory Graph
, which Azure marked as legacy but are still required for the time being apparently.