Hey,
i have an application registration to grant a terraform pipeline access to azure. The application registration has the contributor role on subscription scope. But Terraform now needs to be able to asign roles inside a resource group that was created by the terraform pipeline. Since I also dont have more than the contributor role i cant just try out what works for this case. I requested to get the Role Based Access Controll Administrator as Role added for the app registration on subscription scope since it seems that this role has the "Authorization/roleAssignments/write" Action in its permissions. But i still get the following error:
Failed to add {securityPrincipal} as {role} for {scope} : The client '{clientName}' with object id '{objectId}' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/{subscriptionId}/Microsoft.Authorization/roleAssignments/{roleAssignmentId}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Do I have to configure a role assignment condition for the Role Based Access Controll Administrator in order to be able to use the role assignments write action and do I have to use tags to make it work?
Would it be possible to just create a custom role for the application registration with the "Authorization/roleAssignments/write" permission and use this for the app registration so I can ignore the role assignment conditions?
Is there maybe any other way / best practise to magage the permissions of the application registration so it can be avoided that terraform ends up with a role that has not needed permissions?
I am pretty new to the Azure Cloud so I dont even know if I am on the right tracks.
It would be really helpfull if someone can point me in the right direction.
Thanks :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 53%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 23%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKI%3C/text%3E%3C/svg%3E)