Closed mattleibow closed 6 months ago
@jongio do you have any insights here. Is it because azd
needs to create resources at the subscription level?
The most secure way to connect to services is by using Role Based Access Control (RBAC). Where your account or a services "service principal" is given permission to access a service.
In order to connect your account and the services to access other services you need to create "role assignments".
i.e. For your account to access storage, you need the "storage access" role. For key vault, you need key vault read access, etc.
In order to create the role assignment, the user deploying the template needs "User Access Administrator" or "Owner" roles.
The "Contributor" role isn't enough to create those role assignments.
The best we can do right now, is tell you what roles are required, which can be found here: https://github.com/Azure-Samples/azure-search-openai-demo-csharp/blob/main/infra/main.bicep#L423
We are working on ways to make this easier for folks that can't get the User Access Admin or Owner roles.
Thanks for the response. Marking this issue as closed.
This issue is for a: (mark with an
x
)Minimal steps to reproduce
azd up
on a subscription where you are just aContributor
Any log messages given by the failure
Expected/desired behavior
Why is the role needed if I have just created all the resources. This is hard to test and I had to get specific exceptions from more powerful people just to run the demo. Is there a reason the admin permissions are needed?
Since there is a company-wide R&D subscription where I am a
Contributor
, I feel like I should be able to run the demo without having to ask for more permissions.