Error creating new azure resource group using terraform

Question

I am trying to new resource group in azure using terraform but i am getting following error

Error checking for presence of existing resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxx' with object id 'xxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/***/resourcegroups/stage-group' or the scope is invalid. If access was recently granted, please refresh your credentials.

This is code sample

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.7.0"
    }
  }
}

provider "azurerm" {
  features {}
}

#Create resource group
resource "azurerm_resource_group" "resource_group" {
  name     = "stage-group"
  location = "eastus"
}

I am running this through github actions and passing ARM_CLIENT_ID,ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID ,ARM_TENANT_ID . I dont have problem when running the same for existing resource.

Answer 1

You have to assign a proper role to your Service Principal at a higher scope - Subscription or Management group level, with the rights to create Resource Groups (Microsoft.Resources/subscriptions/resourceGroups/write).

Most of the time, Contributor is a good fit but you can look for more granular roles depending on your needs.