Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot assign groups to application via service principal #1378

Open
zemirco opened this issue May 14, 2024 · 3 comments
Open

Cannot assign groups to application via service principal #1378

zemirco opened this issue May 14, 2024 · 3 comments
Labels
feature/app-role-assignments question

Comments

@zemirco
Copy link

zemirco commented May 14, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.48.0
+ provider registry.terraform.io/jfrog/artifactory v10.7.4
+ provider registry.terraform.io/jfrog/platform v1.7.2
+ provider registry.terraform.io/jfrog/project v1.5.2

Affected Resource(s)

  • azuread_app_role_assignment
  • azuread_service_principal
  • azuread_application

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "azuread_application" "jfrog" {
  display_name    = "Artifactory SAML SSO + SCIM"
}

resource "azuread_service_principal" "jfrog" {
  client_id = azuread_application.jfrog.client_id
}

locals {
  scim_groups = [
    data.terraform_remote_state.az.outputs.azuread_group_devops,
  ]
}

resource "azuread_app_role_assignment" "jfrog" {
  for_each            = toset(local.scim_groups[*].object_id)
  app_role_id         = "18d14569-c3bd-439b-9a66-3a2aee01d14f"
  principal_object_id = each.key
  resource_object_id  = azuread_service_principal.jfrog.object_id
}

Debug Output

https://gist.github.com/zemirco/07a36d90f68ac65f4ebcbfa420f8a94f

Panic Output

Expected Behavior

I'm able to add / remove groups to my Enterprise Application (so that the group members are able to login via SAML SSO) via my CI/CD pipeline using GitHub Actions by authenticating as a service principal.

This is how it should look like in the end.
image

The app registration has the Application.ReadWrite.OwnedBy permission.
image

The service principal uses OIDC to connect to our Azure AD.
image

Actual Behavior

It all works locally when I run the command as a user.

It does not work when the command runs inside our CI/CD pipeline which is GitHub Actions. Here we're getting the following error.

azuread_app_role_assignment.jfrog["3ef3cd62-73c6-402f-9951-18da865b3776"]: Destroying... [id=ed84d346-a092-46d6-aae2-b04b1da85370/appRoleAssignment/Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA]
╷
│ Error: Deleting app role assignment for resource "ed84d346-a0[9](***/actions/runs/9064212294/job/24920697658?pr=135#step:6:10)2-46d6-aae2-b04b1da85370" with ID "Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA", got status 403
│ 
│ AppRoleAssignedToClient.BaseClient.Delete(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Steps to Reproduce

  1. terraform apply

References
@manicminer
Copy link
Member

Hi @zemirco, thanks for reporting this issue. I couldn't say why the DELETE request is being sent without seeing a copy of the plan for this apply, however you will need to assign the AppRoleAssignment.ReadWrite.All app role to your Terraform service principal in order to manage app role assignments. Unfortunately Application.ReadWrite.xyz is not sufficient - as this is a privileged API that technically permits you to add any API permission for any application.

@zemirco
Copy link
Author

zemirco commented May 14, 2024

It finally works. Here is how we did it 🥳

The permission Application.ReadWrite.OwnedBy is enough but the owner has to be set at the App Registration as well as the Enterprise Application.

image

image

Wow :) I'm so glad this finally works as we've spent so many hours on this topic.

Thank you for maintaining the azuread provider.

@manicminer
Copy link
Member

Ah that's great, thanks for reporting back! This is easily missed and I'll see if we can call this out more clearly in the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/app-role-assignments question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manicminer @zemirco