Comments (12)
And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:
Create a SP:
az ad sp create-for-rbac -n "sample-sp"
List details for the newly created SP:
az ad sp list --filter "displayName eq 'sample-sp'"
Use the object ID from the CLI as the object ID you enter in Terraform.
from terraform-azurerm-appgw-ingress-k8s-cluster.
I had the same issue. Paying more attention to the name of the variable in my terraform.tfvars definition I realized I was using the wrong object_id. Indeed it is required the one related to my subscription instead of the application object id.
I hope this is helpful.
from terraform-azurerm-appgw-ingress-k8s-cluster.
And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:
Create a SP:
az ad sp create-for-rbac -n "sample-sp"
List details for the newly created SP:
az ad sp list --filter "displayName eq 'sample-sp'"
Use the object ID from the CLI as the object ID you enter in Terraform.
So why not to show in the portal the Service Principal Object ID ?
Every day many folks have the same problem not just with AKS but with many other services in Azure!
from terraform-azurerm-appgw-ingress-k8s-cluster.
same issue
I found the answer. The json response has an id
key, which is actually the objectId
.
from terraform-azurerm-appgw-ingress-k8s-cluster.
I'm getting the same error (Principals of type Application cannot validly be used in role assignments) when trying to add deploy role assignments via ARM template
I've tried parsing the appId and objectId of the service principle
Any update on this ?
from terraform-azurerm-appgw-ingress-k8s-cluster.
And as an additional input for everyone else stumbling into this: When you create a new "app registration" in the Azure portal, actually two objects are created: An application object and a service principal object. The object ID which appears in the Azure portal is the application object ID, not the service principal object ID. So what you can do is:
Create a SP:
az ad sp create-for-rbac -n "sample-sp"
List details for the newly created SP:
az ad sp list --filter "displayName eq 'sample-sp'"
Use the object ID from the CLI as the object ID you enter in Terraform.
I tried this, but there was no key ObjectId
in my json output.
from terraform-azurerm-appgw-ingress-k8s-cluster.
Getting the same errors as well.
from terraform-azurerm-appgw-ingress-k8s-cluster.
Same issue in ARM template for type
"Microsoft.Network/virtualNetworks/providers/roleAssignments"
from terraform-azurerm-appgw-ingress-k8s-cluster.
You can also find the object id through the Enterprise Application.
from terraform-azurerm-appgw-ingress-k8s-cluster.
same issue
from terraform-azurerm-appgw-ingress-k8s-cluster.
I have to agree this is missleading. Application_id i understand, but ojbect_id i don't. And things changed, as this requires the object_id (id
) or the service principal runnning behind the application (App registration)
https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create-optional-parameters:
--assignee-object-id Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
from terraform-azurerm-appgw-ingress-k8s-cluster.
I don't know if it's going to be useful but after creating an app registration you can access the service principal object Id from the enterprise application and this solved it for me. The object id of the enterprise application is different from the one in the app registration.
from terraform-azurerm-appgw-ingress-k8s-cluster.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-azurerm-appgw-ingress-k8s-cluster.