How to grant a service principal permissions to run Get-AZroleassignments? from azure devops pipeline

Question

I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzRoleAssignment. Also, After getting the Az-roleAssignment, I want to do : New-AZroleasssignment.

but I get this error.

[Authorization_RequestDenied] : Insufficient privileges to complete the operation

The DevOps service principal has Contributor rights in the subscription. I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.

Answer 1

In order to assign roles, you need to have "Owner" role in this Azure Subscription:https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin

The Contribute Role for this service principal is not enough. Assign this service principal an Azure Subscription Owner Role.

The Azure Powershell Task is not using your User Account's Role permission, it is using the Role permission of the corresponding service principal.