Permissions error on subscription after azurerm provider upgrade

I am upgrading the azurerm provider from 3.49 to further versions and I am getting the below error.

Planning failed. Terraform encountered an error while generating this plan.

│ Error: reading Subscription Alias “xxxx”: subscriptions.SubscriptionsClient#AliasGet: Failure responding to request: StatusCode=401 – Original Error: autorest/azure: Service returned an error. Status=401 Code=“UserNotAuthorized” Message=“User does not have access Microsoft.Subscription/aliases/write over scope providers/Microsoft.Subscription/aliases/xxxx”

I have observed that, there is no error when the subscription was created from terraform, however the issue is when the subscription was created manually and imported into the state file and then when running the terraform plan.

I tried to upgrade from 3.49.0 to all further versions and it’s throwing the same error.

I was able to “fix” this by assigning myself “owner” role for the sub I was struggling with. The whole sub alias permission model in Azure is weird and I don’t understand it… Permissions and roles for Aliases are separated from everything else for some reason. Anyways, this worked for me:

az role assignment create --assignee <your user or SP> --role owner --scope “providers/Microsoft.Subscription/aliases/<your-subscription-name>”

Hi, thanks for the reply.
I am getting this issue even after having the owner access on the subscription level.

Note the scope “providers/Microsoft.Subscription/aliases/<sub>”

It’s a separate assignment compared to the regular subscription scope which is “subscription/<sub>”. Why Microsoft has done it like this is beyond my grasp…

Yes, this did the trick. Thanks alot for the solution. I never think of the alias will have the separate permissions than the normal subscription…