There is nothing in the documentation about what permissions should be used for service principal. It's something that's quickly come when setting up Continuous Delivery through Azure DevOps for example as deloying infrastructure won't work without specifying specific roles and permissions for the Service Principal
I had trouble finding this information that I was expected to find on the following pages:
When using a specific component like Assignment, I would expect the API Reference documentation to indicates what role or permission the Azure account or service principal I use will need to deploy this component.
Suggestions for a fix
Even if the instructions do not cover all the cases or if it is not possible to indicate everywhere in the API Reference what permissions/roles are needed there should be basic guidance on how to configure the Service Principal
Some thought on guidance to give:
If the infrastructure use an existing resource group, give roles to the SP on the resource group scope
If the infrastructure creates resource groups, give roles to the SP on the subscription scope where the resources have to be created
Service Principal should have the Contributor role
If group or user role assignment are done in the stack (often needed to give permissions on the created resources), the role User Access Administrator should be given to the Service Principal
See if there are other permissions commonly needed in infrastructure stacks that should be specified in the documentation
Problem description
There is nothing in the documentation about what permissions should be used for service principal. It's something that's quickly come when setting up Continuous Delivery through Azure DevOps for example as deloying infrastructure won't work without specifying specific roles and permissions for the Service Principal
I had trouble finding this information that I was expected to find on the following pages:
When using a specific component like Assignment, I would expect the API Reference documentation to indicates what role or permission the Azure account or service principal I use will need to deploy this component.
Suggestions for a fix
Even if the instructions do not cover all the cases or if it is not possible to indicate everywhere in the API Reference what permissions/roles are needed there should be basic guidance on how to configure the Service Principal
Some thought on guidance to give: