while running terraform with default contributor permission from Azure DevOps you end up with this error when you try to create a role assignment.
In our case, we are using the service principal for Azure DevOps.
let see how to create a custom role with minimum permission to avoid this error.
Choose subscription “Access control (IAM) – Add – Add custom role –
Clone a role – Contributor
Friendly name for the custom role – aks custom role
Delete this “Microsoft.Authorization/*/Write from NoAction.
choose next finish. In Assignable scopes, if you want the same custom role on different subscriptions you need to include them.
Now let’s use the custom role created and add service principal to the custom role
add role assignment – role – aks custom role – select the service principal you want to use.
Choose to add.
Solution #1 –
The quick solution is to change the service principal to Owner permission on the subscription and give legacy graph permission. This is one way of doing it. but certainly not a recommended way. Custom role to give minimum permission to achieve the same. without owner permission on the subscription.
Choose Application Permission – Application.ReadWrite.OwnedBy
Add Permission and click on “Grant Admin Consent”