I have the following Azure devops pipeline in two different Azure devops projects one for the Infrastructure team and another one for the application development team
- Networking, ACR and AKS Infrastructure provisioning using Terraform
- AKS application deployment using Helm
I don't want to grant the Azure subscription owner account or Azure subscription owner permission for the Azure devops service connection.
I have two separate service accounts created for each pipeline. Now, what are all the roles assigned to the service accounts so that Azure Devops project use the service accounts/ service principal (manual) to connect and perform the activities.
Is this a right way for production deployments?