Search code examples
azureazure-active-directoryazure-clirbac

Azure CLI az role definition update - microsoft.cdn/profiles/endpoints/Purge/action does not match any of the actions supported by the provider

I'm trying to update an existing role definition with the following command that is run in a DevOps pipeline

$roleDef = az role definition update --role-definition $r.FullName | ConvertFrom-Json

The $r variable holds the path to the custom role definition shown below:

{
    "Name": "DevOps Pipeline",
    "Description": "Used for deploying web application code, but not creating resources",
    "AssignableScopes": [
        "/subscriptions/sub-id-here"
    ],
    "Actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerRegistry/registries/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Cdn/profiles/endpoints/Purge/action",
        "Microsoft.Web/connections/write",
        "Microsoft.Logic/workflows/write"
    ],
    "NotActions": [],
    "DataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action",
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete"
    ],
    "NotDataActions": []
}

My problem is, when this is run the following exception is thrown:

ERROR: 'Microsoft.Cdn/profiles/endpoints/Purge/action' does not match any of the actions supported by the providers.

Solution

  • The answer from @Stringfellow seems to be the same for me. The cause was due deployment change on the Azure side - nothing to do with my devops pipeline.