Terraform unable to list provider registration status

2
votes

I am trying to run terraform apply on a folder with a tf file, after running init.

However, I get the error below:

Error running plan: 1 error(s) occurred:

  • provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClien t#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Stat us=403 Code="AuthorizationFailed" Message="The client '17cd0b64-08fb-48db-ad9f-4dd56361bb47' with object id '17cd0b64-08 fb-48db-ad9f-4dd56361bb47' does not have authorization to perform action 'Microsoft.Resources/subscriptions/providers/re ad' over scope '/subscriptions/9a305d25-7f89-43d4-a691-62ad0f63c5c8'."

The tf file has my tenant id, subscription id, all the other required fields, but the error keeps happening. Please advise?

EDIT: Below is my tf file

  provider "azurerm" {
     subscription_id = "****"
     client_id       = "**client_id**"
  client_secret   = "****"
  tenant_id       = "**+*"
}



# Create a resource group
resource "azurerm_resource_group" "production" {
  name     = "productiongs"
  location = "West US"
}
4
azureterraform
You are the 21k user in Stackoverflow, but you ask for question without any details but error message, something else you can provide, such as the codes, how to run the commands, environment variables you set, and others?BMW
Did you really post your secret credentials?! If thats the case, please revoke them and audit your setup for any changes done using the given creds.Anshu Prateek

4 Answers

3
votes

Without seeing your terraform setup it's hard to know the exact problem, but I am guessing you are missing your client_id and client_secret.

So your provider would look something like this:

provider "azurerm" {
  subscription_id = "..."
  client_id       = "..."
  client_secret   = "..."
  tenant_id       = "..."
}

More information here: https://www.terraform.io/docs/providers/azurerm/

1
votes

Looking at the given error message, I would say the given credentials do not have required permissions over the said resources.

 perform action 'Microsoft.Resources/subscriptions/providers/read'
 over scope '/subscriptions/9a305d25-7f89-43d4-a691-62ad0f63c5c8'."

Did you create your credentials as per given instructions at

https://www.terraform.io/docs/providers/azurerm/

Also, from https://github.com/Azure/vagrant-azure/issues/127#issuecomment-226659944

"To enable the application for use with Azure RM, you now need to switch to the 'New' Portal:" and further. You need to add that app credential to the Azure portal and give permission. Trick is about adding by name manually as "Type in the name of the application added in the 'Classic' Portal. You need to type this as it won't be shown in the user list. Click on the appropriate user in the list and then click Select"

1
votes

I am getting this from time to time, especially when trying to debug code and repeatedly hitting the API, It seems to solve itself when you leave it for a while.

I speculate whether i am hitting a rule on their API management

1
votes

It looks like the Service Principal doesn't have the Contributor role assigned to it.

Just go to the Subscription in the portal, select Access Control (IAM) and Add the Role assignment, Contributor to your Service Principal

enter image description here

Or follow these instructions