How To Use Service principal To Assign A Role To Another Service Principal

Question

How can I give a service principal access to assign a role to a resource it created?

---

Here's the scenario.

I...

• Created an Azure DevOps pipeline
• Created a Service Connection (which creates a service principal and grants it Contributor access to the entire subscription).
• Created a pipeline task AzureCLI@1 using the service connection
• Executed az group create … - SUCCESS - made a resource group!
• Executed az group deployment create … - SUCCESS - deployed some stuff!
  • ^-- (Unless I do any role assignments as part of my ARM template)
• Executed az role assignment create … - FAILURE

ERROR: Insufficient privileges to complete the operation.

---

I tried making the service principal Owner instead of Contributor. No difference.

This made me understand (kinda) why: Azure Service principal insufficient permissions to manage other service principals

Which lead me here: https://docs.microsoft.com/en-ca/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#failed-to-assign-contributor-role

---

But I'm a little stuck. I think I'm supposed to grant my service principal some sort of role within active directory so that it's allowed to manage role assignments.

I found this: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-delegate-by-task#roles-and-administrators

Based on that, it seems I should give my service principal Privileged role administrator access. scary.

Then I found this: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Because I wanted to limit this service principal to only be able to flex the active directory powers within a single subscription, which seems to be possible in the AssignableScopes property.

---

But two things are giving me pause, which brings me here.

1) I'm relatively unfamiliar with what I'm doing, and I'm tossing around big scary terms like Administrator shudder. Time to consult some experts!

2) This seems complex. The task I'm performing seems like it should not be complex. I'm just trying to deploy AKS and a Container Registry in an Azure Pipeline and give AKS access to the registry. Which is what all the docs say to do (albeit at the commandline, not in a pipeline).

---

So, should I really be creating a custom role just for the subscription which gives Privileged role administrator type privileges assignable only to the subscription, then granting my service principal that role?

Or... How do I do this?

---

EDIT:

I did try creating a custom role with action Microsoft.Authorization/write. It failed with this error: 'Microsoft.Authorization/write' does not match any of the actions supported by the providers.

But I succeeded in creating one with action Microsoft.Authorization/*/write as well as Microsoft.Authorization/*

My .json definition looks like:

{
  "Name": "...", "Description": "...", "IsCustom": true,
  "Actions": [ "Microsoft.Authorization/*" ],
  "AssignableScopes": [
    "/subscriptions/[subscriptionid]"
  ]
}

After assigning the role to the service principal, it still failed with insufficient access. I logged in locally via az login --service-principal, tried to use my new powers, and got this message:

The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/.../Microsoft.Authorization/read' over scope '/subscriptions/.../resourceGroups/.../.../providers/Microsoft.Authorization/roleDefinitions' or the scope is invalid. If access was recently granted, please refresh your credentials.

---

EDIT: SOLUTION

{
  "Name": "...", "Description": "...", "IsCustom": true,
  "Actions": [ 
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Authorization/roleAssignments/write"
  ],
  "AssignableScopes": [
    "/subscriptions/[subscriptionid]"
  ]
}

This works with az role definition create.

The service principal also needs to be a Directory Reader, unless you specify the role assignment by object-id. Azure Active Directory: Add Service Principal to Directory Readers Role with PowerShell

It can be assigned to the service principal, and when executing az commands as that service principal, it succeeds in creating role assignments.

Answer 1

you need to grant it Microsoft.Authorization/roleAssignments/write custom permission or the built-in role of owner. scope would be subscription if you want to be able to do that for every resource group\resource in the subscription or you can be more granular (say specific resource groups or even resources).

your custom role link is the right way to create custom roles.

edit: OP needed to add Microsoft.Authorization/roleAssignments/read as well, for me it works without it.