Using ansible to create Azure resource group, throws “403 client error”

Question

Right now I am using ansible playbooks to create azure resource group on Centos 7.0, and I created a credential file like this:

[default]
subscription_id=my_subscription_id
client_id=<the application ID>
secret=<the password>
tenant=<my aad id>

and it throws an error like this:

{"changed": false, "msg": "Error checking for existence of name ansible-rg - 403 Client Error: Forbidden for url: https://management.azure.com/subscriptions/my_subscription_id/resourcegroups/ansible-rg?api-version=2017-05-10"}

I know maybe it is because my lack permission of my subscription, but I am not sure what I should do about this.

did you grant your service principal permissions? also, how did you install ansible? this doesnt look like a permissions error on azure side — 4c74356b41
Seems your service principal does not have the permission to create the resource group. Try: navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add role assignment -> add your service principal as a role(e.g. owner) in the subscription. — Joy Wang-MSFT
@4c74356b41 Thanks for your help. I have tried what Joy said before, and seems it works well right now...I should add service principal to the subscription. — joe huang

Joy Wang-MSFT Joy Wang-MSFT · Accepted Answer · 2019-02-25T06:51:58

Seems your service principal does not have the permission to create the resource group.

Try: navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add role assignment -> add your service principal as a role(e.g. owner) in the subscription.

Using ansible to create Azure resource group, throws “403 client error”

2 Answers