Unable to create service principal in azure playgrounds

Hi Everyone,

I’m trying to create a terraform script to deploy resources in azure however I’m not able to create a service principal in the playgrounds also if we create a app registration we are not able to provide access to it to preform the task. Please let me know if anyone has a workaround for this issue.

ERROR:
root@Jack:~# az ad sp create-for-rbac --role=“Contributor” --scopes=“/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4”
Creating ‘Contributor’ role assignment under scope ‘/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4’
Role assignment creation failed.

role assignment response headers: {‘Cache-Control’: ‘no-cache’, ‘Pragma’: ‘no-cache’, ‘Content-Length’: ‘527’, ‘Content-Type’: ‘application/json; charset=utf-8’, ‘Expires’: ‘-1’, ‘x-ms-failure-cause’: ‘gateway’, ‘x-ms-request-id’: ‘6ea57b25-a095-4d5b-b1e2-d65990256b44’, ‘x-ms-correlation-request-id’: ‘6ea57b25-a095-4d5b-b1e2-d65990256b44’, ‘x-ms-routing-request-id’: ‘SOUTHCENTRALUS:20240924T074558Z:6ea57b25-a095-4d5b-b1e2-d65990256b44’, ‘Strict-Transport-Security’: ‘max-age=31536000; includeSubDomains’, ‘X-Content-Type-Options’: ‘nosniff’, ‘X-Cache’: ‘CONFIG_NOCACHE’, ‘X-MSEdge-Ref’: ‘Ref A: 57BC8EE1564A4AD48482F64FE067CE3A Ref B: MNZ221060618023 Ref C: 2024-09-24T07:45:58Z’, ‘Date’: ‘Tue, 24 Sep 2024 07:45:58 GMT’}

(AuthorizationFailed) The client ‘kk_lab_user_main-2d0a4452a5634b93@azurekmlprodkodekloud.onmicrosoft.com’ with object id ‘5508efc0-4a94-4d75-bf44-c9b79c4fdb73’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/providers/Microsoft.Authorization/roleAssignments/ca31effa-fa77-4f34-b7f1-2db555324fc4’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client ‘kk_lab_user_main-2d0a4452a5634b93@azurekmlprodkodekloud.onmicrosoft.com’ with object id ‘5508efc0-4a94-4d75-bf44-c9b79c4fdb73’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/providers/Microsoft.Authorization/roleAssignments/ca31effa-fa77-4f34-b7f1-2db555324fc4’ or the scope is invalid. If access was recently granted, please refresh your credentials.
root@Jack:~#

Thanks in advance.

Hi @Jayakumar

Is this part of some lab/course? If so, can you please share the link to the lab?

And, if you are trying to deploy some resources on Azure with TF, then I suppose there might be some issues with the permissions as Azure playground is a sandboxed environment with a limited set of permissions.

Hello! No this was no assignment. I was trying it myself to understand the working better. Okay, maybe permissions can be a reason for this. Thank you.

You can create a service principle, although I don’t know how much you can do with it. Please take a look at some of the Azure docs on the subject. If you create a Code Shell window, the demo script from the doc actually works:

kk_lab_user_main-c0662f9910e149f [ ~ ]$ az ad sp create-for-rbac --name "pdtdevblogsp"
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
  "appId": "10b5475f-d189-494c-b8cb-a63c536f564b",
  "displayName": "pdtdevblogsp",
  "password": "GfB8Q~qbSgE4twE_6psyHr1c-eT-pNgJnK237aJn",
  "tenant": "30fe8ff1-adc6-444d-ba94-1238894df42c"
}

If it works in Code Shell, it probably should work in terraform. Again, you may well be limited as to what rights you can assign to the service principle. But at a minimum, you can create one.

Yes, you can create a service principal, but you don’t have enough permissions to assign any role to it. So the service principal will be useless.