Github Actions, Deploy ARM template with Microsoft.Authorization/roleAssignments

Question

i ve been trying to deploy an ARM template with Github Actions and keep falling into the same problem no matter what I tried:

Authorization failed for template resource '...' of type 'Microsoft.Authorization/roleAssignments'. The client '...' with object id '...' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/***/resourceGroups/ds-rgc/providers/Microsoft.Storage/storageAccounts/myStorageName/providers/Microsoft.Authorization/roleAssignments/...'

The failure reason is obvious and I don't think it has anything to do with Github but with the application I created...:

I registered an app with Azure App Registration, created a secret and end up with the credentials object:

  {
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
  }

I added that as a secret in Github, tested the login with an action and everything worked great. The problem appeared only when I tried to assign roles in the ARM template.

Worth mentioning that the same template with the correct role assignments runs perfectly from Azure Custom deployment.

This cost me a few hours already, but honestly I cannot find a way to elevate the permissions of the app and add 'Microsoft.Authorization/roleAssignments/write' permission or the 'User Access Administrator' role...

Any ideas?

Answer 1

It seems I was too tired...

I had to go my Subscription (because that was the scope of my template) > Access control (IAM) > Add role assignment > find User Access Administrator > click Next > select User, group, or service principal > click +Select members > type the apps name > select it from the list > click Select and then Review + Assign.

Done...