Azure App Service Deployments - Minimum Role for Service Principal Account

1
votes

I am deploying a standard ASP.NET MVC application to an Azure App Service using a VSTS build and release definition. The VSTS instance and the target Azure subscription are on separate Azure accounts/subscriptions so we have create a Azure AD application and Service Principal account to authorize the deployment.

When adding the Service Principal account to the subscription, it wants us to assign a role.

What is the best and least privileged role that can be used to deploy the site?

1
azuredeploymentazure-pipelines-release-pipelineservice-principal

1 Answers

1
votes

When add Azure Resource Manager Service Endpoint, it mentions:

A new Azure Service Principal will be created and assigned with "Contributor" role, having access to all the resources in the selected subscription.

So, the Contributor role is better.

On the other hand, to configure Azure RM service endpoint, you must be a member of the Global Admin role in the directory. More information: Insufficient privileges to complete the operation.