How can I grant roleAssignement/write permission to azure devops service connection

Question

I am setting a staging environment for my Continuous Deployment. I am using the Azure devops service for repositories and pipelines.

I need to add Azure Active Directory login to my Linux VMs. So far I followed this guide. It works on my machine, although when I try to run it on Azure devops I get the following error.

2019-04-08T14:54:33.7657868Z ERROR: The client '********-****-****-****-************' with object id '********-****-****-****-************' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/***/resourceGroups/staging-rg/providers/Microsoft.Compute/virtualMachineScaleSets/webscaleset/providers/Microsoft.Authorization/roleAssignments/********-****-****-****-************'.

It seems that my azure devops service connection lack roleAssignment/write permission. I can not figure out how to add it

4c74356b41 4c74356b41 · Accepted Answer · 2019-04-09T12:52:23

easiest way - assign owner role to the service principal, you can find it using the service connection page, it has a link to "manage service principal" or something like that.

Alternatively you can create custom role that can only do that and assign to the service principal, a bit more secure, but not that much, since with that role you can grant any permissions to anybody.

Powershell to create custom role:

$role = Get-AzRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign permissions role"
$role.Description = "Allow to assign permissions"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.AssignableScopes.Clear()

Get-AzSubscription | ForEach-Object {
    $scope = "/subscriptions/{0}" -f $_.Id
    $role.AssignableScopes.Add($scope)
}
$def = New-AzRoleDefinition -Role $role

How can I grant roleAssignement/write permission to azure devops service connection

2 Answers