When deploying Azure resources with Bicep, you might have encountered the need for elevated permissions to create role assignments. By default, assigning roles during deployments requires high-level permissions like Owner at the subscription or resource group level. This setup can be concerning, as it grants more permissions than are necessary for the task.

To tackle this, I created a custom Azure role that has just the required permissions for creating role assignments. This ensures deployments remain secure and adhere to the principle of least privilege.

Why Use a Custom Role?

Instead of assigning broad roles like Owner or Contributor, a custom role enables you to:

1. Limit permissions to only what’s necessary.
2. Improve security by minimizing access rights.
3. Maintain compliance with organizational governance policies.

Here’s how you can create a custom role that allows Bicep deployments to create role assignments without requiring Owner access.

Step-by-Step Guide to Creating the Custom Role

To create the custom role, you can use the Azure PowerShell module. Below is a script that defines and deploys the custom role.

# Define a new custom role with the required permissions
$role = Get-AzRoleDefinition Contributor
$role.Id = $null # Set ID to null to define a new role
$role.Name = "Role Assignment Creator"
$role.Description = "Can create role assignments during ARM/Bicep deployments"
$role.Actions.Clear() # Clear inherited permissions
$role.NotActions.Clear() # Clear inherited NotActions
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.Actions.Add("Microsoft.Resources/deployments/write")
$role.Actions.Add("Microsoft.Resources/deployments/read")
$role.Actions.Add("Microsoft.Resources/deployments/operationStatuses/read")
$role.AssignableScopes.Clear() # Clear existing scopes
$role.AssignableScopes.Add("/subscriptions/<subscriptionID>") # Replace <subscriptionID> with your subscription ID

# Create the custom role definition
New-AzRoleDefinition -Role $role

# Verify the new role definition
Get-AzRoleDefinition -Name "Role Assignment Creator"

Key Permissions Explained

Microsoft.Authorization/roleAssignments/write allows the creation of role assignments.
Microsoft.Resources/deployments/write grants permission to create deployments.
Microsoft.Resources/deployments/read enables read access to deployments.
Microsoft.Resources/deployments/operationStatuses/read allows reading deployment operation statuses.

These actions cover the necessary permissions for Bicep deployments involving role assignments, without granting broader access like Owner.

Assigning the Custom Role

After creating the role, you can assign it to a specific user, group, or service principal using the Azure portal, CLI, or PowerShell.

New-AzRoleAssignment -ObjectId <principalId> -RoleDefinitionName "Role Assignment Creator" -Scope "/subscriptions/<subscriptionID>"

Replace <principalId> with the object ID of the user or service principal you want to assign the role to.

Creating a custom role like this provides a more secure and fine-grained approach to handling deployments in Azure. By defining the exact permissions needed, you can minimize security risks and ensure compliance with best practices.

If you have similar requirements or insights into role definitions, feel free to share in the comments!