You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
retrieving Role Management Policy: (Principal Id "{objectId}" / Scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}"): unexpected status 400 (400 Bad Request) with error: InsufficientPermissions: The requestor {ReadOnlyServicePrincipal} does
│ not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.
Expected Behaviour
Import successfully
Actual Behaviour
When using Read only SP( with Action: "*/read" ):
terraform plan is working perfectly
import failed due to insufficient permission
Import works only after adding "Microsoft.Authorization/roleAssignments/write".
Why import needs Write permission?
Steps to Reproduce
az login (user level)
terraform apply --auto-approve
remove azurerm_pim_active_role_assignment manually from tfstate
az login --service-principal -t {Tenant-ID} -u {Client-ID} -p {Client-secret} (To use Read only SP)
terraform import azurerm_pim_active_role_assignment.example "/providers/Microsoft.Management/managementGroup/{managementGroupId}|/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}|{objectId}"
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered:
Is there an existing issue for this?
Community Note
Terraform Version
1.8.1
AzureRM Provider Version
3.99
Affected Resource(s)/Data Source(s)
azurerm_pim_active_role_assignment, azurerm_pim_eligible_role_assignment
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Import successfully
Actual Behaviour
When using Read only SP( with Action: "*/read" ):
terraform plan is working perfectly
import failed due to insufficient permission
Import works only after adding "Microsoft.Authorization/roleAssignments/write".
Why import needs Write permission?
Steps to Reproduce
az login (user level)
terraform apply --auto-approve
remove azurerm_pim_active_role_assignment manually from tfstate
az login --service-principal -t {Tenant-ID} -u {Client-ID} -p {Client-secret} (To use Read only SP)
terraform import azurerm_pim_active_role_assignment.example "/providers/Microsoft.Management/managementGroup/{managementGroupId}|/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}|{objectId}"
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: