Terraform azurerm "AuthorizationFailed" in CI
Azure rejected the operation because the authenticated principal does not have a role assignment granting the action at the resource/subscription scope. Authentication worked; authorization did not.
What this error means
apply fails with AuthorizationFailed, naming the action and scope. The service principal authenticated (it reached ARM) but has no RBAC role permitting the operation on that resource group/subscription.
Error: creating Resource Group "app-rg": resources.GroupsClient#CreateOrUpdate:
Failure responding to request: StatusCode=403 -- Original Error:
autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed"
Message="The client '...' with object id '...' does not have authorization to
perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over
scope '/subscriptions/...'."Common causes
Service principal missing an RBAC role
The principal has no role assignment (e.g. Contributor) granting the action at the subscription/resource-group scope.
Role assigned at the wrong scope
A role assigned at a narrower scope than the operation targets does not authorize the action.
How to fix it
Assign the needed role at the right scope
Grant the principal a role (Contributor or a least-privilege custom role) at the subscription or resource-group scope it operates on.
az role assignment create \
--assignee <sp-object-id> \
--role Contributor \
--scope /subscriptions/<sub-id>Verify principal and scope
- Confirm the CI principal object ID matches the one in the error.
- Check the scope of existing role assignments covers the target.
- Confirm the correct subscription is selected (ARM_SUBSCRIPTION_ID).
How to prevent it
- Assign CI service principals least-privilege roles at the correct scope.
- Keep ARM_SUBSCRIPTION_ID aligned with the target subscription.
- Audit role assignments when new resource types are added.