Adding account contributor permissions for Azure environment credentials

Learn about adding account contributor permissions for Azure environment credentials.

Check that the required permissions for Azure credentials are registered in the environment.

If the role has account contributor access to the environment credentials, as mentioned in Prerequisites for the provisioning credential, then no changes are needed.

If the role has specific minimal permissions enabled for the environment credentials, add the following new permissions to the role:

{
  "Name": "CDE-Workload-Identity-FIC-Manager",
  "Id": null,
  "IsCustom": true,
  "Description": "Custom role for CDE to manage Federated Identity Credentials on pre-existing Azure Managed Identities",
  "Actions": [
    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
    "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/[***SUBSCRIPTION-ID***]/resourceGroups/[***RESOURCE-GROUP***]"
  ]
}