search

microsoft / finops-toolkit

Tools and resources to help you adopt and implement FinOps capabilities that automate and extend the Microsoft Cloud.
https://aka.ms/finops/toolkit
MIT License
304 stars 105 forks source link

FinOps hubs documented permissions prerequisites are insufficient for a successful deployment #783

Closed helderpinto closed 4 months ago

helderpinto commented 4 months ago

⚠️ Problem

The FinOps hubs permissions prerequisites documented here are not sufficient for a successful deployment. When validating a template deployment made by a user owning only the documented permissions/roles, the Azure portal throws errors such as the ones below:

The client 'user@tenant' with object id 'guid' does not have permission to perform action 'Microsoft.Resources/deploymentScripts/write' at scope 'ARM id'.

or

The client 'user@tenant' with object id 'guid' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope 'ARM id'.

🛠️ Solution

Update the aforementioned documentation with the following additional roles

  1. Custom role containing the Microsoft.Resources/deploymentScripts/write permission (there is no granular built-in role for this permission). Alternatively, suggesting using the Contributor role, which includes this permission and all resource-specific Contributor roles.
  2. Role Based Access Control Administrator - required to grant permissions to FinOps hubs managed identities.
helderpinto commented 4 months ago

I can implement the changes myself. I just need to be sure about the docs structure to follow.

flanakin commented 4 months ago

Thanks for finding and volunteering! 😊 Look for the /docs/_reporting/hubs/template.md file. The README.md file in that same folder may also have a reference. (I haven't checked.)