Define what role should be assigned to the service principal in the documentation

[tgquan67]

Describe your use-case which is not covered by existing documentation.

In the prerequisites section of the documentation, it did not mention what kind of role or API permission should be assigned to the service principal. Is this an implicit requirement to assign the Owner role to it? And if that's the case, shouldn't we limit the amount of privilege this service principal is given to the bare minimum?

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

[timja]

if you can figure out what the permission is required and add to the documentation that would be helpful.

Contributor definitely works.

You may be able to get away with Virtual Machine Contributor but that would need testing

[tgquan67]

I guess I will need to test that out. Owner and Contributor are out, they give too much privilege.

[tgquan67]

So far it's working for me by assigning the service principal with Virtual Machine Contributor on subscription scope and Contributor on a resource group scope (the resource group where the VMs are deployed). The network, subnet and security group were created beforehand when I was making the template, so I just reused those.

[timja]

Why did you need Virtual Machine Contributor on the subscription scope?

[tgquan67]

Err, in the documentation it did not mention the scope, so I assumed that it was on the subscription scope?

[timja]

it should only need it on the resource group