I have an application (AWX) with a script that is trying to perform an action in Azure (add tags to a vm). In AWX, I get the following error, apparently from Azure: msg: "Error retrieving resource group usw-sys-rg-001 - The client '9d...27' with object id '9d...27' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/83...4a/resourcegroups/usw-sys-rg-001' or the scope is invalid. If access was recently granted, please refresh your credentials."
Seems like straightforward message. The account/identity/principal being used is not authorized. The problem, is, the client id in the error message does not correlate with any credential object I have in AWX. And specifically it doesn't correlate with the Microsoft Azure Resource Manager credential I have in AWX. Not being the author of this AWX playbook, I'm a bit puzzled by all of this.
Since the error appears to come from Azure, and Azure doesn't seem to say that the client id doesn't exist, this makes me think that I should be able to find that identity in Azure (presumably it's a service principal) and inspect its permissions. However, when I filter through the app registrations, I can find no entry with a client id matching the one from the error message above.
How do I find the service principal in Azure Portal? Or is it something else?
I must be looking at this wrong. Does anyone have any pointers? Many thanks.
