What is the list of minimum permissions for "validate" and "what-if" action of Bicep deployment?

[shigeyf]

Hi team,
I would like to ask you to shed light on my question about the minimum list of Azure Role permissions for Bicep what-if and validate action.

I have set up Azure DevOps Service Connections with User-assigned Managed Identity in an Azure subscription and the Workload Identity OIDC auth scheme for Bicep IaC CI/CD pipeline.
I started with a bicep template which creates only a single resource group.
And I have given Subscription's "Reader" role and the following permissions to the user-assigned managed identity under a target subscription scope for the purpose of "What-If" and "Validation" action, since those action required "action" permissions:

• "Microsoft.Resources/deployments/whatIf/action"
• "Microsoft.Resources/deployments/validate/action"
• "Microsoft.Resources/subscriptions/resourceGroups/write"

Next, I used the following bicep template, which has some more resources other than a single resource group, but I got an error at the bottom of this post.

• https://github.com/Azure-Samples/avm-bicep-labs/tree/main/labs/lab01

In summary, it says that much more "write" permissions are required such as:

• 'Microsoft.Network/virtualNetworks/write'
• 'Microsoft.Network/virtualNetworks/subnets/write'
• 'Microsoft.ManagedIdentity/userAssignedIdentities/write'

According to this behavior, it seems we need to likely give every "write" permissions of our deploying resources to the identity running in the CI pipeline, even though "validate" and "what-if" action does not deploy any resources actually under the target subscription.
So, I'm curious about whether this understanding is correct or not, or if I'm making a mistake?
Because Terraform plan does not require such permissions and "Reader" role is quite enough for "plan" action.

Also please give the best practice or guidance for minimum permissions to the identity for CI Pipeline to run 'what-if' and 'validate" actions of Bicep ARM deployment.
Hope you can give me some nice ideas to approach this problem.
Thanks in advance.

The detailed error log is as below.

Running: az deployment sub validate --location eastus --template-file infra/main.bicep --parameters infra/main.dev.bicepparam --no-prompt
ERROR: {"code": "InvalidTemplateDeployment", "message": "Deployment failed with multiple errors: 'Authorization failed for template resource 't7mwmgm5ekz6u-core' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/t7mwmgm5ekz6u-core'.:Authorization failed for template resource 't7mwmgm5ekz6u-devops-bicep-cicd' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-workload/providers/Microsoft.Resources/deployments/t7mwmgm5ekz6u-devops-bicep-cicd'.:Authorization failed for template resource 'tzm6skcysxhfo-kv' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/tzm6skcysxhfo-kv'.:Authorization failed for template resource 'vnet-tzm6skcysxhfo' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/vnet-tzm6skcysxhfo'.:Authorization failed for template resource 'pdnsz-tzm6skcysxhfo' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/pdnsz-tzm6skcysxhfo'.:Authorization failed for template resource 'uami-tzm6skcysxhfo' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/uami-tzm6skcysxhfo'.:Authorization failed for template resource '46d3xbcp.res.network-virtualnetwork.0-1-1.qcnx' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/46d3xbcp.res.network-virtualnetwork.0-1-1.qcnx'.:Authorization failed for template resource 'vnet-devops-bicep-cicd' of type 'Microsoft.Network/virtualNetworks'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Network/virtualNetworks/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Network/virtualNetworks/vnet-devops-bicep-cicd'.:Authorization failed for template resource 'qcnxldpdl5xq4-subnet-0' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/qcnxldpdl5xq4-subnet-0'.:Authorization failed for template resource '46d3xbcp.res.managedidentity-userassignedidentity.0-1-2.pjfw' of type 'Microsoft.Resources/deployments'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Resources/deployments/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Resources/deployments/46d3xbcp.res.managedidentity-userassignedidentity.0-1-2.pjfw'.:Authorization failed for template resource 'uami-devops-bicep-cicd' of type 'Microsoft.ManagedIdentity/userAssignedIdentities'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uami-devops-bicep-cicd'.:Authorization failed for template resource 'vnet-devops-bicep-cicd/default' of type 'Microsoft.Network/virtualNetworks/subnets'. The client '9c4be63d-87e1-4857-8d3c-ce62206fd82a' with object id '9c4be63d-87e1-4857-8d3c-ce62206fd82a' does not have permission to perform action 'Microsoft.Network/virtualNetworks/subnets/write' at scope '/subscriptions/4bf56649-891b-4a0b-abd2-616721e04011/resourceGroups/rg-devops-bicep-cicd-core/providers/Microsoft.Network/virtualNetworks/vnet-devops-bicep-cicd/subnets/default'.'"}

[GABRIELNGBTUC]

What-if essentially needs every permission needed as if you were doing a real deployment which makes sense since it tries to emulate a real deployment.

Terraform plan does not need more than reader because it's cloud agnostic nature means that it retrieves data on the source before generating the plan locally which is the complete opposite to Bicep which leverages ARM templates and the ARM service. (Which IMO is preferable because you can detect permission issues in advance).

So the best practice is to use the service connection you will be using for the real deployment since that is the only option.