Service principal with access to a single resource group

[ChristopherL-STCU]

Hello. I set up a pipeline to provision resources through a GitHub Action. The service principal logged into by the GitHub Action only has access to a specific resource group. When the GitHub Action tries to provision the resources it fails with a 403 Forbidden:

ERROR: deployment failed: error deploying infrastructure: failed deploying: starting deployment to subscription: PUT
https://management.azure.com/subscriptions/{Subscription Id Here}/providers/Microsoft.Resources/deployments/dev

The bicep templates are not creating a new resource group and are only referencing the resource group the service principal has access to. Is there a way to configure the provisioning to allow this scenario to succeed?

[vhvb1989]

The service principal logged into by the GitHub Action only has access to a specific resource group

the SP needs contributor access role for the entire Azure Subscription. That's currently an expectation from azd, as the first deployment is done at Subscription level (even if the resource group already exists)

[ChristopherL-STCU]

Okay, thank you. Unfortunately that will be a hard blocker for me to use azd. I'd like to make that a feature request then, to be able to target a specific resource group and have azd be able to operate with permissions only on that resource group.