Deployment error for lacking permissions, despite user is sub owner.

[phwecker]

when trying to deploy LocalBox, i am getting an error

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/###/resourceGroups/demo_localbox/providers/Microsoft.Resources/deployments/main","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InvalidTemplateDeployment","message":"The template deployment failed with error: 'Authorization failed for template resource '0c636641-8285-5d2e-ac36-55c6a4cb9ca3' of type 'Microsoft.Authorization/roleAssignments'. The client '' with object id 'd96c71b7-fbde-4c71-8445-23ba1c3af947' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/###/resourceGroups/demo_localbox/providers/Microsoft.Authorization/roleAssignments/0c636641-8285-5d2e-ac36-55c6a4cb9ca3'.'."}]}}

i did replace UPN and SubId ... the user referenced is owner of the sub. the referenced object IDs do not return any results in a resource query. any hint what this could be would be very much appreciated.

[janegilring]

Hi, could you check permissions on subscription/resource group for the user performing the deployment?
If not already in place, assign Owner or User Access Administrator to allow the role-assignments defined in the template for the Managed Identity of the LocalBox Client VM.

[phwecker]

the user performing the install is "owner" at all levels.

[janegilring]

after 1:1 chat we found the culprit:

when assigning the Owner role to your deployment user, I suspect this option was used:

Could you go to Access control on the subscription and check if you have this View/edit option on the assignment?

If you do, click on Configure:

And remove Owner from this list:

We will make a note about checking for constrained permissions in the documentation.

[phwecker]

important detail also ... make sure you explicitly log out and log back in for the shell you are using for the deployment. re-doing login w/o logging out does NOT seem to do the trick.