Update blog 5.4: add UAA role prerequisite with portal steps and condition option guidance

workcontrolgit · workcontrolgit · commit 77aaf4fa9fbf · 2026-04-06T08:15:17.000-04:00
diff --git a/blogs/series-5-devops-data/5.4-azure-bicep-infrastructure.md b/blogs/series-5-devops-data/5.4-azure-bicep-infrastructure.md
@@ -29,6 +29,7 @@ This article is part of the **AngularNetTutorial** series. The full-stack tutori
 * **CAF naming convention** — why resources are named `app-talent-api-dev` and not `myapp1`
 * **Bicep outputs** — how deployed URLs flow into GitHub Actions workflows
 * **GitHub Actions workflow** — how to deploy infrastructure on-demand via `workflow_dispatch`
+* **Service principal permissions** — why Contributor alone isn't enough and how to grant role assignment capability
 * **Estimated cost** — ~$23/month for the full dev stack, and how to reduce it to $0
 
 ---
@@ -456,6 +457,25 @@ jobs:
 * `AZURE_SUBSCRIPTION_ID` — Azure subscription ID
 * `SQL_ADMIN_PASSWORD` — SQL administrator password
 
+### ⚠️ One-Time Prerequisite: Grant Role Assignment Permission
+
+The Bicep deployment creates RBAC role assignments (granting each Web App's managed identity access to Key Vault). By default, a service principal with **Contributor** role cannot create role assignments — it also needs **User Access Administrator**.
+
+**Grant it in the Azure Portal:**
+
+1. Go to **portal.azure.com → Resource Groups → rg-talent-dev**
+2. Click **Access control (IAM)** in the left menu
+3. Click **+ Add → Add role assignment**
+4. Select role: **User Access Administrator** → click **Next**
+5. Click **+ Select members**, search for your service principal (e.g. `github-angularnettutorial`), select it
+6. Click **Next** — Azure shows a role assignment condition dialog with three options:
+   * Allow user to only assign selected roles to selected principals (fewer privileges)
+   * **Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended)** ← select this
+   * Allow user to assign all roles (highly privileged)
+7. Click **Review + assign**
+
+**Why the Recommended option?** The Bicep only assigns the `Key Vault Secrets User` role — a standard, non-privileged role. The recommended option allows assigning standard roles while blocking the highest-privilege roles (Owner, User Access Administrator itself, RBAC Administrator). This follows the principle of least privilege — enough permission to wire up managed identities, not enough to escalate to subscription owner.
+
 ---
 
 ## 💻 Try It Yourself
