8

I want to deploy some resources on Azure with Terraform. On Azure, I have an account with "Owner rights" on one Resource Group only(RGName). Not at the subscription level.

From my linux server, I installed "az cli" and I did "az login". At this step, everything is OK.

The problem appears when I want to execute terraform to create one resource.

Content of provider.tf (the only one .tf file for now) :

provider "azurerm" {
}

If I do a "terraform plan", it works.

If I add the following line, it fails. Please see the error at the end :

resource "azurerm_virtual_network" "myterraformnetwork" {
    name                = "myVnet"
    address_space       = ["10.0.0.0/16"]
    location            = "eastus"
    resource_group_name = "RGName"

    tags = {
        environment = "Terraform Demo"
    }
}

I do not have right on subscription level but I do not need to. With the Azure WebUI I can create resource on this Resource Group without problem.

The error :

Error: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.DevSpaces with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autor est/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'accountName' with object id 'IDaccountName' does not have authorization to perform action 'Microsoft.DevSpaces/r egister/action' over scope '/subscriptions/subscriptionID' or the scope is invalid. If access was recently granted, please refresh your credentials.".

on provider.tf line 1, in provider "azurerm": 1: provider "azurerm" {

Thank you all !

Lbebitas
  • 81
  • 1
  • 1
  • 4

4 Answers4

19

If anyone else has this issue in a corporate (restricted) Azure environment, and doesn't have the patience to register the provider (which may not be necessary if you don't use the specified terraform resource) - have a look at https://github.com/terraform-providers/terraform-provider-azurerm/issues/4440

Specifically, this may help:

provider "azurerm" {
  skip_provider_registration = "true"

It obviously won't help if you actually need the resource that fails to get registered (in our case it was Cannot register provider Microsoft.DevSpaces with Azure Resource Manager, but the resource will be variable depending on your environment and what Terraform decides to support)

Geehan
  • 191
  • 2
2

For your issue, when you have the Owner role of the resource group, you can create new resources or manage the existing resources as you want. So permission is no problem. With the test on my side, it works well using a user has the Owner role of the resource group.

As the error shows, I think the possible reason is that you have multiple subscriptions in the tenant and the current subscription is not the right one which the user has the right permission. You can try to take a check and set the right subscription via the command:

az account set --subscription subscription_id
Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thank you for your answer. I got this when I execute "az account list" : ` "cloudName": "AzureCloud", "id": "SUBSCRIPTIONID", "isDefault": true, "name": "SUBSCRIPTIONNAME", "state": "Enabled", "tenantId": "TENANTID", "user": { "name": "LOGINNAME", "type": "user" ` I do not have rights on this subscription but it is the only one subscription that I know. – Lbebitas Sep 12 '19 at 07:31
  • @Lbebitas Well, you check if you use the right tenant. – Charles Xu Sep 12 '19 at 07:40
  • Can you tell me more about tenant on Azure ? I do not have this vision from my point of view. I'm currently using a service and I have rights only on RG. Thank you a lot ! – Lbebitas Sep 12 '19 at 07:56
  • @Lbebitas What do you mean using a service? You can take a look at [here](https://learn.microsoft.com/en-us/office365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings) to learn about the tenant and subscription. What you need to do is find the right tenant and subscription that you have the permission to login. – Charles Xu Sep 12 '19 at 08:22
  • @Lbebitas Any more update for the questions? Do you solve the problem? – Charles Xu Sep 16 '19 at 01:36
  • Hello, No :( I tried with ServicePrincipal. I can do a : az login --service-principal -u ServicePrincipal -p Secret --tenant TENANT_ID But I still get the same error with Terraform. – Lbebitas Sep 17 '19 at 08:43
  • @Lbebitas As I said, you need to check if you log in the right tenant and subscription that you have the permission of the group. You can create the vnet via the terraform as you do in the portal. – Charles Xu Sep 17 '19 at 09:22
  • Hello, Problem solved ! The provider Microsoft.DevSpaces was not registered on this subscription. It works now. Thank you for your time. – Lbebitas Sep 17 '19 at 12:50
  • @Lbebitas Well, that's good news. And if it works for you please accept it as the answer. – Charles Xu Sep 19 '19 at 09:30
  • @Lbebitas I want to what is the reason that you do not accept my answer while if solve your problem?! – Charles Xu Sep 26 '19 at 08:00
1

You may need to register the Resource provider by clicking on register as shown in below screenshot under subscription id.

enter image description here

Divyanshu mehta
  • 319
  • 4
  • 8
0

Thank you for your answer.

I got this when I execute "az account list" :

    "cloudName": "AzureCloud",
    "id": "***********0d43",
    "isDefault": true,
    "name": "BU*******",
    "state": "Enabled",
    "tenantId": "TENANTID",
    "user": {
      "name": "LOGINNAME",
      "type": "user"

I do not have rights on this subscription but it is the only one that I know. On Azure WebUI I can see that the RGName is on the same subscription.

This is a capture from Azure WebUI on the RGName : Azure WebUI

Thank you

Lbebitas
  • 81
  • 1
  • 1
  • 4