So I recently gave the marvellous serverless framework another try, this time with Azure Functions. On our company account … which uses AD-based login. Yet serverless framework wants (and only supports to) interactively create a service principal account and grant access rights to that one. Per se this is a good idea, yet my AD-user of course may not grant these rights.

If you try to do it anyway, you’ll get an error message like this:

  Error --------------------------------------------------
  The client '' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/00000000-0000-0000-0000-000000000000'.

To me it doesn’t feel like a viable option to ask the AD-admin to grant those rights to each employee’s service principal account (manually later on). So I wanted to try whether it’s feasible to just recycle azure-cli’s access tokens (which resides under ~/.azure/accessTokens.json).

And off I went, … here’s the Gist with the resulting .patch file.

After installing serverless-azure-functions node module, just apply the patch like this:

curl | \
  patch -p1

… of course this is quite a hack. For the moment it works. If you feel like this should be done differently, or go upstream somehow, feel free to ping me. Either by e-mail or over on Twitter.