Role required to perform validate action on resource group

Question

I am trying to run the following powershell command on an Azure API Management resource group:

Test-AzureRmResourceGroupDeployment -ResourceGroupName api-dev-81575006 -TemplateFile .\api-dev.json -TemplateParameterFile .\api-dev.parameters-TEST.json

However I get the following error:

Test-AzureRmResourceGroupDeployment : The client 'xx.xx@blabla.com' with object id '89e711a3-374d-4594-8aba-e0108edf2a87' does not have authorization to perform action 
'Microsoft.Resources/deployments/validate/action' over scope 

I looked at my role in the resource group and I have contributor role. Shouldn't this be sufficient for me to run validate commands on resource groups?

Answer 1

yeah, thats sufficient, so you've got few options here:

1. you dont know who you actually are. i.e. powershell is authenticated under a different user. (Get-AzContext will show you this information)
2. you are deploying to the wrong resource group (so not the one you checked permissions)
3. you are deploying to the wrong subscription (Get-AzContext will show you this information; you can switch subscription with Select-AzSubscription)

also, worth noting, that i'm 99% sure that cmdlet doesnt do what you think it does ;)