Feature Request: Add Builtin Roles for operating container app jobs

[rhuanbarreto]

Is your feature request related to a problem? Please describe.
Today there's no builtin role that allows a user or a service principal to trigger container app jobs.

Describe the solution you'd like.
I would like to have a builtin azure rbac role that I could assign to Service Principals or system-assigned managed identity so they could trigger job executions.

Describe alternatives you've considered.
Today I've created a custom role with the following 3 actions:

• microsoft.app/jobs/start/action
• microsoft.app/jobs/stop/action
• microsoft.app/jobs/read

And assigned it. it just works.

[anthonychu]

Related/duplicate #780

This is still under consideration and there's no ETA at the moment.

[jeremyaltman]

@rhuanbarreto just to confirm, you added those 3 permissions to a custom role, and a user was able to start container app jobs that are typically set to run on a schedule? Did that user have any other roles assigned as well? I've been trying to get this working to no avail. I even updated the custom role (assigned at the subscription level) to include the following permissions, but that still did not allow them to start container app jobs manually:

• microsoft.app/jobs/start/action
• microsoft.app/jobs/stop/action
• microsoft.app/jobs/read
• microsoft.app/containerapps/read
• microsoft.app/containerapps/stop/action
• microsoft.app/containerapps/start/action
• microsoft.app/containerapps/revisions/deactivate/action
• microsoft.app/containerapps/revisions/activate/action
• microsoft.app/containerapps/revisions/restart/action
• microsoft.app/containerapps/revisions/read
• microsoft.app/containerapps/revisions/replicas/read

Only after over-provisioning the user with the Contributor role finally granted them access to start them manually. I even opened a ticket with Azure support, but it went ignored for over a week and when they finally did reach out, they simply told me that they don't support custom roles at all.

[rhuanbarreto]

My trigger type is "Manual". So I use those 3 roles and it works.

[jparta]

@jeremyaltman Have you checked network access thoroughly? I've sometimes had a network access look like a permissions issue because of a vague error message.

[ltutar]

My trigger type is "Manual". So I use those 3 roles and it works.

I also used these 3 roles for "manual" and gave the access on subscription level but it is not working in my case. I can not click on "Run now".

@jeremyaltman Were you able to get it working without giving the contributor role?

Also the new built-in role "Container Apps Jobs Operator" is not working. See https://github.com/maciejporebski/azure-rbac-change-tracking/blob/main/roles/b9a307c4-5aa3-4b52-ba60-2b17c136cd7b.json

The built-in role "Container Apps Jobs Contributor" is working but the user can do more than just start/stop/read Container App Job.