Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Principals of type Application cannot validly be used in role assignments. #1

Open
rnkhouse opened this issue Jan 16, 2019 · 12 comments
Open

Principals of type Application cannot validly be used in role assignments. #1

rnkhouse opened this issue Jan 16, 2019 · 12 comments

Comments

@rnkhouse
Copy link

rnkhouse commented Jan 16, 2019
edited
Loading

Getting below error on terraform apply:
Using object ID.

2 error(s) occurred:

* azurerm_role_assignment.ra1: 1 error(s) occurred:

* azurerm_role_assignment.ra1: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalTypeNotSupported" Message="Principals of type Application cannot validly be used in role assignments."
* azurerm_kubernetes_cluster.test: 1 error(s) occurred:

* azurerm_kubernetes_cluster.test: Error creating/updating Managed Kubernetes Cluster "aks-cluster1" (Resource Group "aksrg1"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ServicePrincipalNotFound" Message="Service principal clientID: xxxxx-xxxxx-xxxxx-xxxxx not found in Active Directory tenant xxxxx-xxxxx-xxxxx-xxxxx, Please see https://aka.ms/acs-sp-help for more details."

I also tried with using tenant ID but getting PrincipalNotFound error.
@rnkhouse rnkhouse changed the title Resource group was not found Principals of type Application cannot validly be used in role assignments. Jan 16, 2019
@rnkhouse rnkhouse reopened this Jan 16, 2019
@alanold
Copy link

alanold commented Jul 5, 2019

I'm getting the same error (Principals of type Application cannot validly be used in role assignments) when trying to add deploy role assignments via ARM template

I've tried parsing the appId and objectId of the service principle
Any update on this ?

@dabasejumper
Copy link

Getting the same errors as well.

@audunsolemdal
Copy link

audunsolemdal commented Dec 4, 2019
edited
Loading

Same issue in ARM template for type
"Microsoft.Network/virtualNetworks/providers/roleAssignments"

@uolter
Copy link

uolter commented Dec 30, 2019

I had the same issue. Paying more attention to the name of the variable in my terraform.tfvars definition I realized I was using the wrong object_id. Indeed it is required the one related to my subscription instead of the application object id.
I hope this is helpful.

@christian-vorhemus
Copy link
Member

And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:

Create a SP:
az ad sp create-for-rbac -n "sample-sp"

List details for the newly created SP:
az ad sp list --filter "displayName eq 'sample-sp'"

objectid

Use the object ID from the CLI as the object ID you enter in Terraform.

@RobertoBorges
Copy link

And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:

Create a SP:
az ad sp create-for-rbac -n "sample-sp"

List details for the newly created SP:
az ad sp list --filter "displayName eq 'sample-sp'"

objectid

Use the object ID from the CLI as the object ID you enter in Terraform.

So why not to show in the portal the Service Principal Object ID ?
Every day many folks have the same problem not just with AKS but with many other services in Azure!

@severity1
Copy link

You can also find the object id through the Enterprise Application.

@jku-sr jku-sr mentioned this issue Jun 22, 2022
Open
@thenakulchawla
Copy link

And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:

Create a SP: az ad sp create-for-rbac -n "sample-sp"

List details for the newly created SP: az ad sp list --filter "displayName eq 'sample-sp'"

objectid

Use the object ID from the CLI as the object ID you enter in Terraform.

I tried this, but there was no key ObjectId in my json output.

@ArnWEB
Copy link

ArnWEB commented Jul 30, 2022

same issue

@thenakulchawla
Copy link

same issue

I found the answer. The json response has an id key, which is actually the objectId.

@jtracey93 jtracey93 mentioned this issue May 18, 2023
Closed
@alexivanov-danone
Copy link

alexivanov-danone commented Apr 30, 2024
edited
Loading

I have to agree this is missleading. Application_id i understand, but ojbect_id i don't. And things changed, as this requires the object_id (id) or the service principal runnning behind the application (App registration)
https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create-optional-parameters:
--assignee-object-id Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

@PLsergent
Copy link

I don't know if it's going to be useful but after creating an app registration you can access the service principal object Id from the enterprise application and this solved it for me. The object id of the enterprise application is different from the one in the app registration.
image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests