Minimal permissions required for running CAPZ

[tjungblu]

/kind feature

Describe the solution you'd like

Currently the quickstart uses the Contributor role, which is very broad:

cluster-api-provider-azure/docs/book/src/getting-started.md

Line 51 in 2a14a61

az ad sp create-for-rbac --role contributor --scopes="/subscriptions/${AZURE_SUBSCRIPTION_ID}"

It would be great if there could be a custom (or even builtin) role that contains all required permissions for running capz in production.

Environment:

• cluster-api-provider-azure version: N/A
• Kubernetes version: (use kubectl version): N/A
• OS (e.g. from /etc/os-release): N/A

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[willie-yao]

/remove-lifecycle stale