We used AzureResourceGroupDeployment@2 in our AzureRM validation task and got forbidden errors. We grant the identity as contributor before, the pipeline can work successfully. But now the contributor role cannot be granted to our managed identity since some security issues. What role or permission should we grant to the managed identity?
Environment type (Please select at least one enviroment where you face this issue)
[ ] Self-Hosted
[X] Microsoft Hosted
[ ] VMSS Pool
[ ] Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Windows11
Relevant log output
Checking if the following resource group exists: RG_Lore_prod_WestUS2.
Resource group exists: true.
Creating deployment parameters.
The detected encoding for file 'D:\a\_work\1\s\azure\arm-base.template.json' is 'utf-8'
The detected encoding for file 'D:\a\_work\1\s\azure\arm-base.parameters-prod.json' is 'utf-8'
Starting template validation.
Deployment name is arm-base-20240604-053421-a411
(node:7716) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
##[error]Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
##[error]Template validation failed. Error: "Multiple error occurred: Forbidden,Forbidden,Forbidden,Forbidden,Forbidden. Please see details.".
Finishing: Validate ARM Template
New issue checklist
Task name
No response
Task version
No response
Issue Description
We used
AzureResourceGroupDeployment@2
in our AzureRM validation task and got forbidden errors. We grant the identity as contributor before, the pipeline can work successfully. But now the contributor role cannot be granted to our managed identity since some security issues. What role or permission should we grant to the managed identity?Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Windows11
Relevant log output
Full task logs with system.debug enabled
Repro steps
No response