⚠️ Problem
The FinOps hubs permissions prerequisites documented here are not sufficient for a successful deployment. When validating a template deployment made by a user owning only the documented permissions/roles, the Azure portal throws errors such as the ones below:
The client 'user@tenant' with object id 'guid' does not have permission to perform action 'Microsoft.Resources/deploymentScripts/write' at scope 'ARM id'.
or
The client 'user@tenant' with object id 'guid' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope 'ARM id'.
🛠️ Solution
Update the aforementioned documentation with the following additional roles
- Custom role containing the
Microsoft.Resources/deploymentScripts/write permission (there is no granular built-in role for this permission). Alternatively, suggesting using the Contributor role, which includes this permission and all resource-specific Contributor roles.
- Role Based Access Control Administrator - required to grant permissions to FinOps hubs managed identities.
The FinOps hubs permissions prerequisites documented here are not sufficient for a successful deployment. When validating a template deployment made by a user owning only the documented permissions/roles, the Azure portal throws errors such as the ones below:
or
🛠️ Solution
Update the aforementioned documentation with the following additional roles
Microsoft.Resources/deploymentScripts/writepermission (there is no granular built-in role for this permission). Alternatively, suggesting using the Contributor role, which includes this permission and all resource-specific Contributor roles.