Use this skill when choosing Azure roles for the GitHub federated identity, deployment principals, or runtime identities created by the landing zone.
Principles
- Prefer built-in roles before custom roles.
- Prefer the smallest scope that works.
- Separate bootstrap deployment access from runtime service access.
- Do not reuse operator credentials for automation.
Workflow
- List the actual deployment actions the workflow must perform.
- Determine whether those actions are subscription-scoped, resource-group-scoped, or resource-specific.
- Pick the smallest built-in role that satisfies the deployment path.
- Only propose a custom role if no built-in role safely fits.
- Document the reason for the chosen scope and role.
Questions to answer
- Does the workflow need to create resource groups or only deploy into existing ones?
- Does it need role assignment rights, or should role assignments be staged separately?