Using Azure DevOps release pipeline with 'Azure Resource Group Deployment' task to create a new resource group from ARM template.
The ARM template contains role assignement scoped at this new resource level, such as:
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(resourceGroup().id)]",
"apiVersion": "2017-05-01",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"principalId": "[parameters('rgOwnerGroupId')]",
"scope": "[resourceGroup().Id]"
}
}
This fails with a permission error:
Authorization failed for template resource '4778ab77-xxxx-xxxx-xxxx-xxxxxxxxxxxx' of type 'Microsoft.Authorization/roleAssignments'. The client '6ced5214-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with object id '6ced5214-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/7a205db1-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.Authorization/roleAssignments/4778ab77-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
The user running the task is the DevOps' project user that appears to have the built-in Contributor role on the newly created resource group. So it kinda make sense that its does not have permission to assign roles on the resource group. As a creator of the resource group, it is strange that it is only Contributor and not Owner. Though being Owner would only be useful for assigning roles in my case.
So how to embedded resource group scoped role assignements in the ARM template for a resource group created of the same template?
Is the only solution granting more permission to the DevOps project user?
