I have prod subscription where deploying pipeline fails because of permission missing. My Azure AD user have no permission to create or remove locks of Azure SQL.
I wonder what and how to configure user permission so that Azure Pipeline can create, edit or remove resource locks?
TERRAFORM:
resource "azurerm_management_lock" "hellodb_lck" {
for_each = var.databases
name = "can-not-delete"
scope = azurerm_sql_database.hellodb[each.key].id
lock_level = "CanNotDelete"
}
This Azure documentation shows that it's either the built-in Owner or User Access Administrator roles or custom roles with the right action, that are allowed to manipulate locks.
To create or delete management locks, you must have access to
Microsoft.Authorization/*orMicrosoft.Authorization/locks/*actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
See Shawn's answer for a more detailed explanation.
Per documentation the options on permissions to manage locks (each of these is an or):
Microsoft.Authorization/*Microsoft.Authorization/locks/*There are multiple different built-in roles and Resource permissions that allow a user to manipulate the locks on a resource.
A built-in role that has the required access would be User Access Administrator role as it is given Managed Authorization (aka Microsoft.Authorization/*).
As well, an Owner of a resource is granted * so it inherits the ability to control the locks on the resources as well. Anything under a Contributor on the resource itself does not have the required permissions as they are only given sub types of the Microsoft.Authorization (e.g. Microsoft.Authorization/*/deletes)
