Azure Resource Manager (ARM) 403 POST Error

[Prince Kannah]

Hi,

I'm new to Terraform and working on a Azure Resource Manager (ARM) provider Terraform configuration. However I have ran into a roadblock that I'm not quite sure where to start looking for a fix.  I understand in order to use azurerm Terraform needs to talk to Azure through the new ARM API by providing a subscription_id, tenant_id as well as a client_id and client secrete (required, although listed as optional). After much searching I was pointed to this webpage (Authenticating Azure Resource Manager Request). Following the instructions in "Create active directory application..." I was able to generate all the needed values. I test the settings by trying terraform apply and received the message below:

Refreshing Terraform state prior to plan...

Error refreshing state: 1 error(s) occurred:

* autorest:DoErrorUnlessStatusCode 403 POST https://management.azure.com/subscriptions/<subscription_id>/providers/Microsoft.Network/register?api-version=2014-04-01-preview failed with 403 Forbidden

I then ran curl -iv and received this output: 

*   Trying 65.52.117.246...

* Connected to management.azure.com (65.52.117.246) port 443 (#0)

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

* Server certificate: management.azure.com

* Server certificate: Microsoft IT SSL SHA2

* Server certificate: Baltimore CyberTrust Root

> GET /subscriptions/<subscription_id>/providers/Microsoft.Network/register?api-version=2014-04-01-preview HTTP/1.1

> Host: management.azure.com

> User-Agent: curl/7.43.0

> Accept: */*

> 

< HTTP/1.1 401 Unauthorized

HTTP/1.1 401 Unauthorized

< Cache-Control: no-cache

Cache-Control: no-cache

< Pragma: no-cache

Pragma: no-cache

< Content-Type: application/json; charset=utf-8

Content-Type: application/json; charset=utf-8

< Expires: -1

Expires: -1

< WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/<tenant_id>", error="invalid_token", error_description="The authentication failed because of missing 'Authorization' header."

WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/<tenant_id>", error="invalid_token", error_description="The authentication failed because of missing 'Authorization' header."

< x-ms-failure-cause: gateway

x-ms-failure-cause: gateway

< x-ms-request-id: fa3ff40a-2718-4232-8890-0d6c5fd52b43

x-ms-request-id: fa3ff40a-2718-4232-8890-0d6c5fd52b43

< x-ms-correlation-request-id: fa3ff40a-2718-4232-8890-0d6c5fd52b43

x-ms-correlation-request-id: fa3ff40a-2718-4232-8890-0d6c5fd52b43

< x-ms-routing-request-id: WESTUS:20160302T071506Z:fa3ff40a-2718-4232-8890-0d6c5fd52b43

x-ms-routing-request-id: WESTUS:20160302T071506Z:fa3ff40a-2718-4232-8890-0d6c5fd52b43

< Strict-Transport-Security: max-age=31536000; includeSubDomains

Strict-Transport-Security: max-age=31536000; includeSubDomains

< Date: Wed, 02 Mar 2016 07:15:05 GMT

Date: Wed, 02 Mar 2016 07:15:05 GMT

< Connection: close

Connection: close

< Content-Length: 115

Content-Length: 115

< 

* Closing connection 0

{"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}

From what I can gather it seems like Terraform is able to Azure but is having trouble getting in. Is this the correct way of looking at it? Another bit that caught my eye was 

register?api-version=2014-04-01-preview

Would this have any effect on whether or not Terraform is authenticated properly? 

I'm currently running Terraform version 0.6.12 and my configuration file.

Any suggestions or more information would be greatly appreciated.

[Prince Kannah]

Took another crack at it this morning and was able to get it going. It was a simple permission settings problem. I wasn't giving the Terraform Service Principal enough rights to be able to work on ARM.

[Brad Pinter]

Can I ask what what rights you added/changed?  I am running into the same error (I believe) and I am not finding any success with the permissions I've changed.  Thanks.

[Prince Kannah]

Hey Brad,

I added a Contributor role to the service principal I created. This tutorial creates a service principal that has a Reader role. Changing that to Contributor (which lets you manage everything except access to resources) does the trick. Hope that helps!

[Brad Pinter]

Thanks!