This error occurs when Terraform lacks permission to check Azure resource provider registration status. The service principal needs Microsoft.Resources/subscriptions/providers/read permission at the subscription level, typically granted through Contributor or Reader roles.
Azure Terraform provider attempts to verify that required resource providers are registered in your subscription. This authorization check fails when the service principal or user account lacks the necessary permissions to read provider registration status. The error indicates a 403 Forbidden response from the Azure Resource Manager API.
Run az account show to confirm you're authenticated to the correct subscription and Azure subscription ID matches your Terraform configuration. If necessary, run az login to re-authenticate or az account set --subscription <subscription-id> to switch subscriptions.
In the Azure portal, navigate to Subscriptions > select your subscription > Access control (IAM) > Role assignments. Verify that your service principal (or user account running Terraform) has the Contributor or Reader role assigned at the subscription level, not just at the resource group level. If missing, click Add > Add role assignment and grant Contributor role to your service principal.
If you cannot assign subscription-level permissions, add the skip_provider_registration flag to your azurerm provider block:
provider "azurerm" {
features {}
skip_provider_registration = true
}Note: You'll then need to manually register required providers via the Azure Portal > Subscriptions > Resource Providers before running Terraform.
Go to Azure Portal > Subscriptions > select your subscription > Resource Providers (left sidebar). Search for providers you plan to use (e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web). Select each provider and click Register. This must be done before Terraform attempts to create resources.
If using service principal authentication, ensure:
- Client ID and Secret are correct
- Client Secret hasn't expired (regenerate if needed)
- Tenant ID matches your Azure tenant
Test with: az login --service-principal -u <client-id> -p <password> --tenant <tenant-id>
If running Terraform in Windows Subsystem for Linux 2, DNS resolution can fail. Create or edit /etc/wsl.conf:
[interop]
appendWindowsPath = true
[network]
generateResolvConf = falseThen edit /etc/resolv.conf to use public DNS:
nameserver 8.8.8.8
nameserver 8.8.4.4Restart WSL2 with wsl.exe --shutdown from Windows Command Prompt.
The azurerm provider automatically registers resource providers during initialization. This is a security feature to catch misconfiguration early. If your organization requires tight RBAC controls, use skip_provider_registration and manually register providers via Azure DevOps pipelines or Infrastructure as Code approval processes. Provider registration is subscription-specific; a provider enabled in one subscription won't work in another. Recent versions (3.44.1+) resolved issues where certain subscriptions with special configurations would fail provider listing. If you recently upgraded azurerm, consider downgrading to a known-stable version (e.g., 3.43.0) to isolate whether the issue is version-related.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform