Command "azd pipeline config" failing due to unauthorized error, even though I'm a contributor to the Azure subscription I'm using

[luabud]

• [x] Make sure you've installed the latest version using instructions in the wiki

Output from azd version Run azd version and copy and paste the output here: azd version 0.8.0-beta.1 (commit 08209da7c22d28c6a123ef4e88d433132066b800)

Describe the bug

I create an empty folder and used the azd init --template AzureSamples/todo-python-mongo-aca command to initialized my sample application. azd up worked as expected and I got the app deployed. However, when running azd pipeline config, it errored out with the following message:

(base) PS REDACTED\Apps\pycon-azd-todo> azd pipeline config

Configure your azd pipeline

  (✓) Done: Checking current directory for Git repository
  |       |          Creating or updating service principal <REDACTED>
  (x) Failed: Creating or updating service principal <REDACTED>

ERROR: failed to create or update service principal: failed applying role assignment: failed assigning role assignment 'REDACTED' to service principal 'az-dev-04-14-2023-22-56-35' : PUT https://management.azure.com/subscriptions/REDACTED/providers/Microsoft.Authorization/roleAssignments/REDACTED
--------------------------------------------------------------------------------  
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------  
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'REDACTED' with object id 'REDACTED' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/1REFACTED/providers/Microsoft.Authorization/roleAssignments/REDACTED' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}
--------------------------------------------------------------------------------  

I double checked and I am a contributor to the subscription I used.

To Reproduce I ran the following in an empty folder:

azd auth login azd init --template Azure-Samples/todo-python-mongo-aca azd up azd pipeline config

Environment Information on your environment:

• Language name and version: Python 3.9
• IDE and version : VS Code 1.78.0-insider

[vhvb1989]

Hello @luabud , thank you for contacting and creating the issue.

azd pipeline config requires Owner or User access administrator role for the Azure Subscription. It also requires permissions in the linked Azure Active Directory to register applications. (This is usually not a problem).

Contributor role is not enough for creating/updating service principals.

@rajeshkamal5050 , this is not a blocker, but we can make azd to check user roles and return an error from the start if the required roles are missing.

[rajeshkamal5050]

Removing blocker based on above and keeping it for GA to improve the error handling/messaging.

[luabud]

That makes sense, thanks for the info!

[savannahostrowski]

@wbreza Is this now fixed?

[rajeshkamal5050]

Change was reverted - https://github.com/Azure/azure-dev/pull/2288

[wbreza]

@wbreza Is this now fixed?

@savannahostrowski / @rajeshkamal5050 With the change of #2218 azd pipeline config will automatically attempt to include both Contributor and User Access Administrator that resolves issues of the provisioning to fail due to insufficient privileges on the service principal.

However, if the user creating the service principal does not have permissions to create role assignments then the azd pipeline config command will still fail and they may need to reuse or have an admin create a service principal with the correct permissions.

[BBITWestin]

I've confirmed I have User access administrator and am a Contributor for the subscription but am still running into the same error. How can I check if I have permissions in the linked Azure Active Directory to register applications.