![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 64%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
The deployment script’s managed identity must have Azure RBAC permissions both for:
- Executing the deployment script and managing AKS/ACR resources
- Any role assignments the ARM template itself is trying to create
From the provided context, the key RBAC requirement is the ability to create role assignments when needed.
1. Role needed for role assignments in the ARM template
If the ARM template (or az commands in the deployment script) creates role assignments (for example, giving AKS or the deployment identity access to ACR, Log Analytics, or PostgreSQL), the identity running the deployment must have a role that includes:
Microsoft.Authorization/roleAssignments/write
Examples of roles that include this permission:
- Owner at the subscription or resource group scope
- User Access Administrator at the subscription or resource group scope
- Role Based Access Control Administrator (as shown in the troubleshooting guidance)
If the identity only has Contributor, it can create resources but cannot create role assignments. This is explicitly called out in the Azure Developer CLI and RBAC troubleshooting content.
Relevant guidance:
- “You don't have sufficient permissions to assign roles… common when your user account has
Contributoraccess but notOwnerorUser Access Administratoraccess.” - “Check that you are currently signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleAssignments/writepermission such as Role Based Access Control Administrator at the scope you are trying to assign the role.”
Therefore, for the cloudcadi-deploy-identity (or the principal that runs the ARM deployment) to succeed when the template creates role assignments, assign one of:
- Owner
- User Access Administrator
- Role Based Access Control Administrator
at the subscription or resource group scope used by the deployment.
2. Roles needed for AKS/ACR/other operations
Separately from role-assignment rights, the managed identity used by the deployment script must have sufficient data-plane and control-plane permissions to:
- Read AKS cluster credentials and connect:
- Typically Azure Kubernetes Service Cluster User Role or similar AKS access role at the AKS resource scope (not in the provided context, but required in practice).
- Pull images from ACR:
- The AKS kubelet or the identity used for image pulls must have AcrPull on the ACR. The context shows that for managed identities pulling from ACR,
AcrPullis required.
- The AKS kubelet or the identity used for image pulls must have AcrPull on the ACR. The context shows that for managed identities pulling from ACR,
- Access other Azure resources (PostgreSQL, Log Analytics) as configured by the template, using appropriate built-in roles.
For AKS itself, when using managed identities, the documentation notes that role assignments are required for:
- Custom VNets
- Attached disks
- Static IPs
- Route tables
- User-assigned kubelet identities
These are granted via Azure RBAC roles on those resources to the relevant managed identities.
3. What if no roles are assigned to the managed identity?
If cloudcadi-deploy-identity has no roles:
- It cannot read or modify AKS, ACR, PostgreSQL, or Log Analytics resources.
- It cannot create role assignments (no
Microsoft.Authorization/roleAssignments/write). - The deployment script will fail as soon as it tries to:
- Run
az aks get-credentials(no permission on the AKS resource) - Access ACR, PostgreSQL, or other resources
- Create any role assignments via ARM or CLI.
- Run
There is no alternative way (within the ARM template and deployment script) to perform these operations without granting appropriate RBAC roles to some identity:
- Either:
- Grant the necessary roles to cloudcadi-deploy-identity, or
- Run the deployment under a different principal (for example, a user or service principal) that already has the required roles (Owner/User Access Administrator + resource-specific roles).
If the goal is to avoid giving the deployment identity role-assignment rights, an administrator can:
- Pre-create all required role assignments (for AKS, ACR, etc.) outside the template, using an identity with Owner/User Access Administrator.
- Then run the ARM template and deployment script with an identity that has only the minimal resource-level roles (e.g., AKS access, ACR pull) and does not need to create new role assignments.
But some identity with the correct RBAC must exist; otherwise, the deployment cannot complete.
References: