Internal server error when updating event grid namespace with custom JWT authentication

[niklasholm]

I'm trying to configure an event grid namespace with custom JWT authentication, tried multiple times with the same result:

azapi_update_resource.azurerm_eventgrid_namespace_this: Creating...
azapi_update_resource.azurerm_eventgrid_namespace_this: Still creating... [10s elapsed]
azapi_update_resource.azurerm_eventgrid_namespace_this: Still creating... [20s elapsed]
╷
│ Error: Failed to update resource
│
│   with azapi_update_resource.azurerm_eventgrid_namespace_this,
│   on main.tf line 91, in resource "azapi_update_resource" "azurerm_eventgrid_namespace_this":
│   91: resource "azapi_update_resource" "azurerm_eventgrid_namespace_this" {
│
│ updating "Resource: (ResourceId \"/subscriptions/<removed>/resourceGroups/<removed>/providers/Microsoft.EventGrid/namespaces/<removed>\" / Api Version
│ \"2024-12-15-preview\")": PUT
│ https://management.azure.com/subscriptions/<removed>/resourceGroups/<removed>/providers/Microsoft.EventGrid/namespaces/<removed>
│ --------------------------------------------------------------------------------
│ RESPONSE 500: 500 Internal Server Error
│ ERROR CODE: InternalServerError
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "InternalServerError",
│     "message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report f6e0d480-91d3-4e7f-9274-2a051e65093f:2/25/2025 5:29:29 PM (UTC) to our forums for assistance or raise a support ticket ."
│   }
│ }
│ --------------------------------------------------------------------------------

Relevant configuration:

resource "azurerm_eventgrid_namespace" "this" {
  name                = "${local.name}-egn"
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name

  identity {
    type = "SystemAssigned"
  }

  topic_spaces_configuration {}

  tags = local.tags
}

resource "azapi_update_resource" "azurerm_eventgrid_namespace_this" {
  type        = "Microsoft.EventGrid/namespaces@2024-12-15-preview"
  resource_id = azurerm_eventgrid_namespace.this.id

  body = {
    properties = {
      topicSpacesConfiguration = {
        clientAuthentication = {
          customJwtAuthentication = {
            issuerCertificates = [
              {
                certificateUrl = azurerm_key_vault_certificate.this.id
                identity = {
                  type = "SystemAssigned"
                }
              }
            ]
            tokenIssuer = "https://${azurerm_linux_web_app.this.default_hostname}/"
          }
        }
      }
    }
  }
}

[ms-henglu]

Hi @niklasholm ,

Thank you for taking time to report this issue.

I found from the docs that it requires adding role assignment in Azure Key Vault for the namespace’s managed identity:
https://learn.microsoft.com/en-us/azure/event-grid/authenticate-with-namespaces-using-json-web-tokens#add-role-assignment-in-azure-key-vault-for-the-namespaces-managed-identity

Please check if the identity has the correct role assignment. If you still encountered the issue, please open an Azure Support ticket.