What RBAC role or access needed to attach Shared image gallery to DevTest lab? Both shared Image Gallery & DevTest lab are in different subscriptions

Question

What RBAC role or access needed to attach a Shared image gallery to DevTest lab? Both shared Image Gallery & DevTest lab are in different subscriptions.

I am trying to deploy DevTest lab using the Arm template via terraform. While deploying it's saying that the service principal has invalid scope. It's needed to write access as per error. Can we not deploy with read access over shared image gallery?

Answer 1

According to this Document Shared Image Galleries provide Sharing across subscriptions, Active Directory tenants, using Azure RBAC. It is recommended to provide read access to your users at Shared level Gallery.

If it is across azure tenants try it this way :

1. Create the app Registration
2. Give the app registration permission to use the shared image gallery.
3. Set Role as Reader.
4. Set Assign access to as Azure AD user, group, or service principal.
5. Under Select, type name and select it when it shows up in the list and then Save it.

You can refer to the below image for a better understanding:

---

For giving Tenant 2 access:

1. Set Role as Contributor.
2. Set Assign access to as Azure AD user, group, or service principal.
3. Under Select, type name and select it when it shows up in the list and then Save it.

You can refer to the below image for a better understanding:

---

For more information please refer this Document.