Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify the least privilege permissions needed for azuread_application #920

Closed
mathias-nyman opened this issue Nov 4, 2022 · 2 comments · Fixed by #921
Closed

Clarify the least privilege permissions needed for azuread_application #920

mathias-nyman opened this issue Nov 4, 2022 · 2 comments · Fixed by #921
Labels
documentation feature/applications
Milestone
v2.32.0

Comments

@mathias-nyman
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The permissions Application.ReadWrite.All and Directory.ReadWrite.All are extremely high privilege permissions on the Azure tenant level and should not be used unless absolutely unavoidable.

The current documentation states:

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.All or Directory.ReadWrite.All

It may be possible to create applications using this resource with the Application.ReadWrite.OwnedBy application role, provided the principal being used to run Terraform is included in the owners property. ...

The statement that the permission Application.ReadWrite.OwnedBy may be sufficient is vague and leads engineers to needlessly resort to tenant level write permissions at the first error they face.

There is one common pattern at the moment for which users get 403 with just the Application.ReadWrite.OwnedBy permission: if you specify additional owners of an azuread_application you, in addition to Application.ReadWrite.OwnedBy also need User.Read.All. This should be added to the documentation.

New or Affected Resource(s)

  • azuread_application

Potential Terraform Configuration

References

Issues about receiving a 403 when using additional owners and resolved by adding the User.Read.All permission:
#703
#853
@mathias-nyman mathias-nyman mentioned this issue Nov 4, 2022
Merged
@manicminer manicminer linked a pull request Nov 7, 2022 that will close this issue
Clarify the least privilege permissions needed for the azuread_application #921
Merged
@manicminer manicminer added this to the v2.31.0 milestone Nov 7, 2022
@manicminer manicminer modified the milestones: v2.31.0, v2.32.0 Dec 1, 2022
@github-actions
Copy link

This functionality has been released in v2.32.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
documentation feature/applications
Projects
None yet
Milestone
v2.32.0
2 participants
@manicminer @mathias-nyman