Missing instructions on how to configure Service Principal permissions/roles in Azure

[TechWatching]

Problem description

• There is nothing in the documentation about what permissions should be used for service principal. It's something that's quickly come when setting up Continuous Delivery through Azure DevOps for example as deloying infrastructure won't work without specifying specific roles and permissions for the Service Principal

• I had trouble finding this information that I was expected to find on the following pages:

  • https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/#creating-a-service-principal
  • https://www.pulumi.com/docs/guides/continuous-delivery/azure-devops/

• When using a specific component like Assignment, I would expect the API Reference documentation to indicates what role or permission the Azure account or service principal I use will need to deploy this component.

Suggestions for a fix

• Even if the instructions do not cover all the cases or if it is not possible to indicate everywhere in the API Reference what permissions/roles are needed there should be basic guidance on how to configure the Service Principal

• Some thought on guidance to give:

  • If the infrastructure use an existing resource group, give roles to the SP on the resource group scope
  • If the infrastructure creates resource groups, give roles to the SP on the subscription scope where the resources have to be created
  • Service Principal should have the Contributor role
  • If Application registrations are created in the stack, Service Principal should have the permission Application.ReadWrite.OwnedBy of the Azure Active Directory Graph API (might change depending on this issue https://github.com/terraform-providers/terraform-provider-azuread/issues/193)
  • If group or user role assignment are done in the stack (often needed to give permissions on the created resources), the role User Access Administrator should be given to the Service Principal
  • See if there are other permissions commonly needed in infrastructure stacks that should be specified in the documentation

[interurban]

adding to this week's triage

[interurban]

Hi @mikhailshilkov Wondering if you have time this sprint to help with this issue; its quite old so perhaps some of this is no longer an issue?

[mikhailshilkov]

@thomas11 Tangential, but it could be a nice thing to add on top of your recent authentication changes?