Closed
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Terraform v1.0.11
on windows_amd64
- provider registry.terraform.io/hashicorp/azuread v2.22.0
Affected Resource(s)
azuread_claims_mapping_policy
Terraform Configuration Files
resource "azuread_claims_mapping_policy" "policy_add_onPremisesSamAccountName_to_token" {
definition = [
jsonencode(
{
ClaimsMappingPolicy = {
ClaimsSchema = [
{
ID = "onPremisesSamAccountName" # name of the attribute to include -> test via https://developer.microsoft.com/en-us/graph/graph-explorer and the URL https://graph.microsoft.com/v1.0/me/?$select=onPremisesSamAccountName
JwtClaimType = "onPremisesSamAccountName" # name of the jwt claim which includes the value of the attribute
Source = "user" # attribute exists on the user object
}
]
IncludeBasicClaimSet = "true"
Version = 1
}
}
),
]
display_name = "Add 'onPremisesSamAccountName' as 'onPremisesSamAccountName'"
}Debug Output
Click to expand!
...
2022-05-23T08:20:38.476+0200 [INFO] provider.terraform-provider-azuread_v2.22.0_x5.exe: 2022/05/23 08:20:38 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: 45eaba6e-89be-06a7-da1a-dfb8e4aca03b
GET /v1.0/policies/claimsMappingPolicies/6a6c119f-acfe-4552-b530-3ec0d8fbbcb8 HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.0.11 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json; charset=utf-8; IEEE754Compatible=false; odata.metadata=full
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip
============================= End AzureAD Request =============================: timestamp=2022-05-23T08:20:38.476+0200
2022-05-23T08:20:38.673+0200 [INFO] provider.terraform-provider-azuread_v2.22.0_x5.exe: 2022/05/23 08:20:38 [DEBUG] ============================ Begin AzureAD Response ===========================
GET https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/6a6c119f-acfe-4552-b530-3ec0d8fbbcb8
Request ID: 45eaba6e-89be-06a7-da1a-dfb8e4aca03b
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: 00610a0d-5f0a-4e3c-8f46-e816bb9b09ed
Content-Type: application/json
Date: Mon, 23 May 2022 06:20:38 GMT
Request-Id: 00610a0d-5f0a-4e3c-8f46-e816bb9b09ed
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"FR3PEPF00000111"}}
X-Ms-Resource-Unit: 1
10a
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-05-23T06:20:38","request-id":"00610a0d-5f0a-4e3c-8f46-e816bb9b09ed","client-request-id":"00610a0d-5f0a-4e3c-8f46-e816bb9b09ed"}}}
0
============================= End AzureAD Response ============================: timestamp=2022-05-23T08:20:38.673+0200
╷
│ Error: retrieving Claims Mapping Policy with object ID: "6a6c119f-acfe-4552-b530-3ec0d8fbbcb8"
│
│ with azuread_claims_mapping_policy.policy_add_onPremisesSamAccountName_to_token,
│ on application.tf line 6, in resource "azuread_claims_mapping_policy" "policy_add_onPremisesSamAccountName_to_token":
│ 6: resource "azuread_claims_mapping_policy" "policy_add_onPremisesSamAccountName_to_token" {
│
│ ClaimsMappingPolicyClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
╵
2022-05-23T08:20:38.678+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-05-23T08:20:38.694+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azuread/2.22.0/windows_amd64/terraform-provider-azuread_v2.22.0_x5.exe pid=2136
2022-05-23T08:20:38.694+0200 [DEBUG] provider: plugin exited
Panic Output
Expected Behavior
Provider should apply the resource without failure.
Actual Behavior
As described in the docs here we've assigned a service principal the the Policy.ReadWrite.ApplicationConfiguration
-> but getting a permission error
After looking at MS Graph's permission reference we additional assigned the Application.ReadWrite.All permission:
But still:
azuread_claims_mapping_policy.policy_add_onPremisesSamAccountName_to_token: Creating...
╷
│ Error: retrieving Claims Mapping Policy with object ID: "6a6c119f-acfe-4552-b530-3ec0d8fbbcb8"
│
│ with azuread_claims_mapping_policy.policy_add_onPremisesSamAccountName_to_token,
│ on application.tf line 6, in resource "azuread_claims_mapping_policy" "policy_add_onPremisesSamAccountName_to_token":
│ 6: resource "azuread_claims_mapping_policy" "policy_add_onPremisesSamAccountName_to_token" {
│
│ ClaimsMappingPolicyClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
Steps to Reproduce
- Create a sp with only the above two application permissions
- Configure ARM_* ENVs
terraform apply
Important Factoids
References
- #0000
Solution
After adding Policy.Read.All:
'Apply complete! Resources: 1 added, 0 changed, 1 destroyed.'
Comments
After looking at the HTTP request made the call to /v1.0/policies/claimsMappingPolicies/6a6c119f-acfe-4552-b530-3ec0d8fbbcb8 returns the 403.
Here the permission Policy.ReadWrite.ApplicationConfiguration should be enough
But isn't sufficient ...
It always only works when adding 'Policy.Read.All'
Probably we should add this to the docs?