DevOps
Fix Terraform Error: CloudWatch Log Group Already Exists
Fix terraform CloudWatch Log Group ResourceAlreadyExistsException. Import orphaned log groups, prevent Lambda auto-creation
3 min read
DevOps
Fix Terraform Error - Azure Authorization Failed
Fix Azure AuthorizationFailed errors in Terraform. Configure service principal RBAC roles, managed identities, and subscription-level permissions.
LLuca Berton2 min read
Quick Answer
#Your Azure service principal or user account lacks the required RBAC role for the operation. Assign the Contributor role at the subscription or resource group level, or a more specific role for the service you're targeting.
The Error
#Error: authorization failed.
AuthorizationFailed: The client 'xxx' with object id 'yyy'
does not have authorization to perform action
'Microsoft.Compute/virtualMachines/write' over scope
'/subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Compute/virtualMachines/vm1'Error: creating Resource Group: authorization.AuthorizationFailedWhat Causes This Error
#1. Service Principal Missing Role
#The service principal used by Terraform has no role assignment or a role that's too restrictive.
2. Wrong Scope
#The role is assigned at resource group level but you're creating a resource in a different resource group.
3. Role Propagation Delay
#RBAC changes take 5-10 minutes to propagate. If you just assigned a role, wait and retry.
4. Subscription-Level Operations
#Some operations (creating resource groups, policy assignments) need subscription-level roles, not resource group-level.
5. Resource-Specific Roles Needed
#Some services need specialized roles beyond Contributor:
| Service | Required Role |
|---|---|
| Key Vault secrets/keys | Key Vault Administrator |
| DNS zones | DNS Zone Contributor |
| Role assignments | User Access Administrator |
| Policy assignments | Resource Policy Contributor |
| AKS RBAC | Azure Kubernetes Service RBAC Admin |
How to Fix It
#Solution 1: Assign Contributor Role
## Get your service principal's object ID
az ad sp show --id $ARM_CLIENT_ID --query id -o tsv
# Assign Contributor at subscription level
az role assignment create \
--assignee $ARM_CLIENT_ID \
--role "Contributor" \
--scope "/subscriptions/$ARM_SUBSCRIPTION_ID"
# Or at resource group level
az role assignment create \
--assignee $ARM_CLIENT_ID \
--role "Contributor" \
--scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/my-rg"Solution 2: Create a Properly Configured Service Principal
## Create SP with Contributor role
az ad sp create-for-rbac \
--name "terraform-deploy" \
--role "Contributor" \
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID"
# Output:
# {
# "appId": "xxx", → ARM_CLIENT_ID
# "password": "yyy", → ARM_CLIENT_SECRET
# "tenant": "zzz" → ARM_TENANT_ID
# }
# Set environment variables
export ARM_CLIENT_ID="appId-from-output"
export ARM_CLIENT_SECRET="password-from-output"
export ARM_SUBSCRIPTION_ID="your-subscription-id"
export ARM_TENANT_ID="tenant-from-output"Solution 3: Add Specialized Roles
## For Key Vault operations
az role assignment create \
--assignee $ARM_CLIENT_ID \
--role "Key Vault Administrator" \
--scope "/subscriptions/$ARM_SUBSCRIPTION_ID"
# For managing RBAC (role assignments in Terraform)
az role assignment create \
--assignee $ARM_CLIENT_ID \
--role "User Access Administrator" \
--scope "/subscriptions/$ARM_SUBSCRIPTION_ID"Solution 4: Use Managed Identity (Recommended for Azure VMs/AKS)
#provider "azurerm" {
features {}
use_msi = true # Use managed identity — no credentials needed
}# Assign role to the managed identity
az role assignment create \
--assignee-object-id $(az vm show -g my-rg -n my-vm --query identity.principalId -o tsv) \
--role "Contributor" \
--scope "/subscriptions/$ARM_SUBSCRIPTION_ID"Solution 5: Debug Authorization
## Check current role assignments
az role assignment list --assignee $ARM_CLIENT_ID --output table
# Check what permissions a role grants
az role definition list --name "Contributor" --query '[].permissions'
# Test the login
az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
az account showTroubleshooting Checklist
#- ✅ Does the service principal have a role assigned? (
az role assignment list) - ✅ Is the role at the correct scope? (subscription vs resource group)
- ✅ Does the operation need a specialized role beyond Contributor?
- ✅ Have you waited 5-10 minutes for RBAC propagation?
- ✅ Are the
ARM_*environment variables correct? - ✅ Can you log in with
az login --service-principal?
Prevention Tips
#- Use Contributor + User Access Administrator for Terraform SPs that manage RBAC
- Assign roles at subscription level for multi-resource-group deployments
- Use managed identities when running Terraform from Azure VMs or pipelines
- Document required roles in your project README
- Use custom roles for least-privilege access in production
Related Articles
#- Terraform Troubleshooting - Common Errors and Solutions
- How to Use Terraform with Azure
- Terraform Glossary
Conclusion
#Azure authorization failures mean the RBAC role is missing or too restrictive. Assign the Contributor role at the subscription level for general Terraform use, add specialized roles for Key Vault or RBAC management, and use managed identities when running from Azure infrastructure.
#Terraform#Troubleshooting#DevOps#Error Fix#Infrastructure as Code
Related articles
DevOps
Fix Terraform Error: Cannot Import Into Existing State
Fix terraform import errors when a resource already exists in state. Covers state rm, state show, reimport workflow, import blocks
3 min read
DevOps
Fix Terraform Error: Too Many Command Line Arguments
Fix terraform too many command line arguments errors. Correct -var syntax, quote values with spaces, and learn proper Terraform CLI argument format for plan
3 min read
DevOps
Fix Terraform Error: Invalid Escape Sequence in String
Fix terraform invalid escape sequence errors. Double backslashes for Windows paths, use heredocs for regex, and learn all valid HCL escape sequences.
2 min read