In https://github.com/dapr/test-infra/blob/master/deploy/aks/monitoring/monitoring.bicep#L47-L55 we have the following:
resource grafanaRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
name: '22926164-76b3-42b3-bc55-97df8dab3e41'
scope: subscription()
}
resource amwRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
name: 'b0d8363b-8ddd-447d-831f-62ca05bff136'
scope: subscription()
}This means that in order to deploy this bicep template you need permissions that grant you rights to create subscription-level roles. This is too broad, specially considering that the usage of these roles is scoped down to a single resource group / cluster.
In https://github.com/dapr/test-infra/blob/master/deploy/aks/monitoring/monitoring.bicep#L47-L55 we have the following:
This means that in order to deploy this bicep template you need permissions that grant you rights to create subscription-level roles. This is too broad, specially considering that the usage of these roles is scoped down to a single resource group / cluster.