Permissions error on subscription after azurerm provider upgrade

sampath.kovuri · May 12, 2023, 10:56am

Hi,
I am upgrading the azurerm provider from 3.49 to further versions and I am getting the below error.

Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: reading Subscription Alias “xxxx”: subscriptions.SubscriptionsClient#AliasGet: Failure responding to request: StatusCode=401 – Original Error: autorest/azure: Service returned an error. Status=401 Code=“UserNotAuthorized” Message=“User does not have access Microsoft.Subscription/aliases/write over scope providers/Microsoft.Subscription/aliases/xxxx”

I have observed that, there is no error when the subscription was created from terraform, however the issue is when the subscription was created manually and imported into the state file and then when running the terraform plan.

I tried to upgrade from 3.49.0 to all further versions and it’s throwing the same error.

mowge · May 24, 2023, 10:00am

I was able to “fix” this by assigning myself “owner” role for the sub I was struggling with. The whole sub alias permission model in Azure is weird and I don’t understand it… Permissions and roles for Aliases are separated from everything else for some reason. Anyways, this worked for me:

az role assignment create --assignee <your user or SP> --role owner --scope “providers/Microsoft.Subscription/aliases/<your-subscription-name>”

sampath.kovuri · May 26, 2023, 10:35am

Hi, thanks for the reply.
I am getting this issue even after having the owner access on the subscription level.

mowge · May 26, 2023, 10:50am

Note the scope “providers/Microsoft.Subscription/aliases/<sub>”

It’s a separate assignment compared to the regular subscription scope which is “subscription/<sub>”. Why Microsoft has done it like this is beyond my grasp…

sampath.kovuri · May 26, 2023, 11:24am

Yes, this did the trick. Thanks alot for the solution. I never think of the alias will have the separate permissions than the normal subscription…

kyle.engibous · June 8, 2023, 5:13pm

@sampath.kovuri - @mowge - i am encountering the same thing but when i attempt

#Example
az role assignment create --assignee 6efe0690-94dc-45fa-bf0a-325bf8c2338b --role owner --scope "providers/Microsoft.Subscription/aliases/networking-dev"

I get message -

The client ‘ecaa1e32-149c-4d20-a3e2-5e3e0c15d233’ with object id ‘ecaa1e32-149c-4d20-a3e2-5e3e0c15d233’ does not have authorization or an ABAC condition not fulfilled to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/providers/Microsoft.Subscription/aliases/networking-dev/providers/Microsoft.Authorization/roleAssignments/ced2f4ca-c7c1-49ca-94f9-1905b9a1e2b4’ or the scope is invalid. If access was recently granted, please refresh your credentials.

Any thoughts

mowge · June 12, 2023, 7:25am

I’m not sure what specific permissions would grant you the access to perform that specific assignment, but if you are a subscription owner I believe it should work. The way this is handled just looks messy in my eyes and I don’t really understand the model here…

If you are an owner, try reaching out to an AAD Global Administrator in your org and ask for help. They should be able to elevate their access and perform the assignment.

sampath.kovuri · June 12, 2023, 7:57am

Ideally the user/spn who created the subscription will have this specific permission by default, so try with their account for assigning the permissions