RBACs_Access_CICD_Pipelines.md

Minimum Access Requirements
for CI/CD Pipelines - Overview

Costa Rica

Cloud2BR OSS - Learning Hub

Last updated: 2026-01-25

---

One of best practices is starting with the built-in Contributor role as a template, then subtract what isn’t needed and add what Contributor misses. Microsoft provides tools to fetch a role definition. For example, you can get the JSON for Contributor and modify it. In practice, you might create two roles for pipelines: one “Deployment Contributor” that has all resource actions (like Contributor minus RBAC), and another “Access Manager” role with just Microsoft.Authorization/roleAssignments/*

List of References (Click to expand)

• Azure roles, Microsoft Entra roles, and classic subscription administrator roles

  

• Azure permissions

• Azure custom roles

• Tutorial: Create an Azure custom role using Azure CLI

• About pipeline security roles

• Manage security in Azure Pipelines

• Secure your Azure Pipelines

graph TD
    A[Dev Platform - VS/VSC] --> B[Code Platform - GHE/GHES]
    B --> C[AI Productivity - GHC]
    B --> D[Security, Code Scanning, Secret Scanning - GHAS]
    B --> E[Quality & Analysis - GHCQ]
    A --> F[Boards + Pipelines - ADO]
    F --> G[CI/CD + Testing - GHA]

Loading

For example: How linking from Resource Manager and CI/CD to Microsoft Entra ID is the key to having an end-to-end governance model.

Note

Azure DevOps repos / GitHub repos:

From End-to-end governance in Azure when using CI/CD

Refresh Date: 2026-04-06