This message was deleted.
# azures
sparse-intern-71089
04/27/2020, 2:21 PMThis message was deleted.
m
millions-journalist-34868
04/27/2020, 2:29 PMAs my ressource group is created through pulumi, I had to give the contributor role on my subscription to the SP. However it seems it's not enough for creating an app registration in AD.
b
better-rainbow-14549
04/27/2020, 3:11 PM'contributor' can do anything except change permissions, 'owner' can do that
better-rainbow-14549
04/27/2020, 3:12 PMand yeah it's a question we're worrying about also, we have segregated CI service principals for pulumi to act as but they can't even really create a resource group so its a chicken and egg situation
better-rainbow-14549
04/27/2020, 3:13 PMwe're leaning towards having one stack which creates all the resource groups and gives another service principal owner over them individually
better-rainbow-14549
04/27/2020, 3:13 PMthen the actual resource stacks act on one resource group alone
m
millions-journalist-34868
04/28/2020, 7:18 AMI see, interesting way of handling this. However, it has some limitations, for instance when I think of projects where ressources for one environment are split in multiple ressource groups, I don't want one SP by RG. And I don't want all my projects for different clients to be in the same global stack.
I ended up giving the permission that was missing ("Azure Active Directory : Application.ReadWrite.") to my SP and letting him the Contributor role on my subscription. It seemed to be the easiest for me if I want it to be able to create and populate my RG.
3 Views