Terraform AzureRM provider role assignment "does not have authorization" in CI
Azure returned an authorization failure: the service principal CI authenticated as does not have the RBAC permission for the action on the scope. The login succeeded; the role assignment does not cover this operation.
What this error means
terraform apply fails with "authorization.RoleAssignmentsClient#Create: ... Code=\"AuthorizationFailed\" Message=\"The client '...' with object id '...' does not have authorization to perform action '...' over scope '...'\"".
Error: authorization.RoleAssignmentsClient#Create: Failure responding to
request: StatusCode=403 -- Code="AuthorizationFailed" Message="The client
'00000000-...' with object id '00000000-...' does not have authorization to
perform action 'Microsoft.Authorization/roleAssignments/write' over scope
'/subscriptions/.../resourceGroups/app'."Common causes
The SP lacks the RBAC role for the action
Creating role assignments needs Owner or User Access Administrator; a Contributor SP cannot write role assignments.
The role is assigned at the wrong scope
The SP has the role on a different subscription or resource group than the scope in the error, so the action is denied here.
How to fix it
Grant the SP the required role at the right scope
- Read the action and scope from the error message.
- Assign a role that allows it (for role assignments, User Access Administrator or Owner) at that scope.
- Re-run apply after the assignment propagates.
az role assignment create \
--assignee <sp-object-id> \
--role "User Access Administrator" \
--scope /subscriptions/<sub>/resourceGroups/appConfirm the authenticated principal
Verify CI is using the SP you granted, not a different identity.
az account show --query user -o jsonHow to prevent it
- Grant the CI SP the minimum role that covers its actions.
- Assign roles at the scope the config actually targets.
- Use User Access Administrator or Owner only where role assignments are managed.