Need Azure Certified confirmation: Are Resource Group-scoped roles (Contributor + Key Vault Secrets Officer) sufficient for full bot platform deployment?

Question

I am an external developer currently designing a WhatsApp bot platform migration for a client in South Africa. I don't use Azure every day, so I want to ensure my architectural approach is correct.

To maintain strict data sovereignty and POPIA compliance, I have designed a "Contained Workspace" model. I am requesting specific roles scoped strictly to a dedicated Resource Group rather than broad Subscription-level access. My client believes I need "Admin" privileges at the Subscription level, but I believe the following is sufficient once an Admin registers the necessary Resource Providers:

My Requested Roles (Scoped to the Resource Group):

• Contributor: To deploy Azure Container Apps, PostgreSQL Flexible Server (VNet injected), App Service, and OpenAI services.
• Key Vault Secrets Officer: To manage encryption keys and database credentials.
• Virtual Network Gateway Subscriber: To manage a P2S VPN for secure, private database administration.

My Question for the Community: Can someone with an Azure certification confirm if this scoped approach is sufficient for me to independently deploy and manage this infrastructure without needing broader Subscription-level Admin rights?

I want to avoid the "Owner" role to ensure I have zero visibility into the client's other enterprise resources. Does this approach align with current Microsoft best practices for external contractor access?

Answer 1

Reuben Genders hi,

yea, ur approach is aligned with Microsoft best practice, but with important clarification. Contributor scoped to a single Resource Group is normally sufficient to deploy and manage Azure Container Apps, App Service, postgreSQL Flexible Server, OpenAI resources, networking objects inside that RG, and most day-to-day operational tasks. You dnt need subscription owner for that. Key Vault Secrets Officer is appropriate if ur role is limited to managing secrets. And that this role dont grant access to manage access policies or RBAC on the vault itself. If the vault uses rbac instead of access policies, ensure the vault permissions model matches what u need.

Virtual Network Gateway is usually deployed at subscription or shared networking RG level. If the VNet Gateway or shared networking resources are outside ur dedicated RG, Contributor on ur RG will not be enough. So u would need scoped rights on the specific networking RG, not the entire subscription. As well resource provider registration (Microsoft.ContainerApps, Microsoft.DBforPostgreSQL, Microsoft.CognitiveServices and etc.) requires subscription-level permissions. That must be handled by an owner, but not permanently granted to u.

From a least privilege persp., avoiding owner and staying RG-scoped is absolutely the correct model for an external contractor. It limits blast radius and visibility into unrelated enterprise assets.

At the end, yes, RG scoped Contributor plus specific additional roles like Key Vault Secrets Officer is normally sufficient, provided shared networking and provider registration are handled appropriately. Subscription level owner is not required for full deployment in a contained workspace design.

rgds,

Alex