in azext_edge/edge/providers/orchestration/permissions.py [0:0]
def verify_write_permission_against_rg(subscription_id: str, resource_group_name: str):
for permission in get_principal_permissions_for_group(
subscription_id=subscription_id, resource_group_name=resource_group_name
):
action_result = False
negate_action_result = False
for action in permission.get("actions", []):
if action.lower() in VALID_PERM_FORMS:
action_result = True
break
for not_action in permission.get("notActions", []):
if not_action.lower() in VALID_PERM_FORMS:
negate_action_result = True
break
if action_result and not negate_action_result:
return
raise ValidationError(
"This IoT Operations deployment config includes resource sync rules which require the logged-in principal\n"
"to have permission to write role assignments (Microsoft.Authorization/roleAssignments/write) "
"against the resource group.\n\n"
"Run the command with --enable-rsync False to not include resource sync rules in the deployment.\n"
)