skip to Main Content

I can assign the owner role to a service principal

# Assign Owner Permission to the Service Principal
resource "azurerm_role_assignment" "sp-tenant-global-admin-role-assignment" {
  scope                = "subscriptions/${data.azurerm_client_config.current.subscription_id}"
  role_definition_name = "Owner"
  principal_id         = azuread_service_principal.sp-tenant-global-admin.object_id
}

However, I want to assign the Global Administrator role, the below Terraform code fails

resource "azurerm_role_assignment" "sp-tenant-global-admin-role-assignment" {
  scope                = data.azurerm_subscription.current.tenant_id
  role_definition_name = "Global Administrator"
  principal_id         = azuread_service_principal.sp-tenant-global-admin.object_id
}

How to assign Global Administrator role to a Service Principal in Azure?

2

Answers


  1. A couple of things:

    • You almost definitely DON’T want to grant a service principal this role!!! Service Principals (any AAD object for that matter) should always be granted RBAC roles under least privilege principle. Even Owner sounds excessive, can I ask why you want to give an App Registration this high of a role?
    • That aside, what is the role of the service connection’s service principal? It cannot grant roles greater than itself (this could be the issue potentially). Can you link/screenshot/dump the error you get from Terraform?
    Login or Signup to reply.
  2. The terraform service principal (the one that CI/CD pipelines are using) sometimes needs Global Admin permissions.
    The way to create it in terraform is to add azuread_directory_role & azuread_directory_role_assignment

    resource "azuread_directory_role" "global_admin" {
      display_name = "Global Administrator" #or any other directory role
    }
    
    resource "azuread_directory_role_assignment" "sp_directory_role_assignment" {
      role_id             = azuread_directory_role.global_admin.template_id
      principal_object_id = azuread_service_principal.primary_sp.object_id
    } 
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search