Examples of using az to create RBAC roles or similar:
# Create a service principalaz ad sp create-for-rbac --name "my-infra-sp"
# Assign Contributor role at resource group levelaz role assignment create \ --assignee "APP_ID" \ --role Contributor \ --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP"
# Assign Key Vault roleaz role assignment create \ --assignee "APP_ID" \ --role 'Key Vault Crypto Officer' \ --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/VAULT_NAME"
# Assign Storage Blob roleaz role assignment create \ --assignee "APP_ID" \ --role 'Storage Blob Data Contributor' \ --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/STORAGE_ACCOUNT"
# Reset credentialsaz ad sp credential reset --id SERVICE_PRINCIPAL_IDBe sure that you do not include credentials in your code or check them into source control.