I can assign the owner role to a service principal
# Assign Owner Permission to the Service Principal
resource "azurerm_role_assignment" "sp-tenant-global-admin-role-assignment" {
scope = "subscriptions/${data.azurerm_client_config.current.subscription_id}"
role_definition_name = "Owner"
principal_id = azuread_service_principal.sp-tenant-global-admin.object_id
}
However, I want to assign the Global Administrator role, the below Terraform code fails
resource "azurerm_role_assignment" "sp-tenant-global-admin-role-assignment" {
scope = data.azurerm_subscription.current.tenant_id
role_definition_name = "Global Administrator"
principal_id = azuread_service_principal.sp-tenant-global-admin.object_id
}
How to assign Global Administrator role to a Service Principal in Azure?
2
Answers
A couple of things:
Owner
sounds excessive, can I ask why you want to give an App Registration this high of a role?The terraform service principal (the one that CI/CD pipelines are using) sometimes needs
Global Admin
permissions.The way to create it in terraform is to add
azuread_directory_role
&azuread_directory_role_assignment