Reputation: 443
What permissions does an Azure service principal need to call the New-AzSubscriptionAlias PowerShell function?
I'm trying to create subscriptions through an Azure DevOps pipeline on a hosted agent running as a service principal and am receiving the error:
New-AzSubscriptionAlias: /home/vsts/work/1/s/Azure.Automation/Subscriptions/Create-AzureSubscription.ps1:190
Line |
190 | $subscription = New-AzSubscriptionAlias `
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Operation returned an invalid status code 'Unauthorized'
How do I grant the service principal the required access?
Upvotes: 0
Views: 2102
Answers (3)
Reputation: 51103
You need to use AzureRmRoleAssignment cmdlet to assign that service principal an Owner role.
We tracked it down to two missing permissions required by the underlying New-AzureRmRoleAssignment cmdlet that is called by the task -
- The Service Principal (SPN) used by Azure DevOps to connect to your Azure subscription requires the Owner role
- The same SPN also requires Read directory data permissions to your Azure AD
There is also a 3rd-party Azure Role Based Access Control task you could use in your azure devops pipeline.
More step by step tutorial, please refer this blog-- Service Principal considerations when using Azure DevOps to manage RBAC on Azure Resource Groups
Upvotes: 0
Reputation: 9529
If you need to use a service principal to create a subscription, then you must grant the service principal the Azure RBAC owner role.
You can use the New-AzRoleAssignment command to assign the owner role to your service principal.
To specify a user, use SignInName or Azure AD ObjectId parameters.
To specify a security group, use Azure AD ObjectId parameter. And to specify an Azure AD application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter.
Upvotes: 0
Reputation: 40663
As it is written here in Programmatically create Azure subscriptions with the latest APIs
You must have an Owner role on an Enrollment Account to create a subscription. There are two ways to get the role:
- The Enterprise Administrator of your enrollment can make you an Account Owner (sign in required) which makes you an Owner of the Enrollment Account.
- An existing Owner of the Enrollment Account can grant you access. Similarly, to use a service principal to create an EA subscription, you must grant that service principal the ability to create subscriptions.
Upvotes: 1
Related Questions
- How to grant a service principal permissions to run Get-AZroleassignments? from azure devops pipeline
- What rights or permissiones does a user need to be able to run certain powershell commands in azure?
- How to grant a service principal permissions to run Get-AzADServicePrincipal?
- Insufficient privileges executing Azure function cmdlet Get-AzADAppCredential
- Why do I get the error 'The provided information does not map to an AD object id.' when executing New-AzRoleAssignment using a Service Principal?
- powershell core 7.0.3 Az.Account PSADServicePrincipal appRoles and oauth2permissions
- How to give Azure AD application access to required permissions using powershell Az module
- How to determine which API Permissions are necessary to run a particular Azure PowerShell command?
- Azure Service principal insufficient permissions to manage other service principals
- Get-AzureRmADApplication shows no permissions