The client XXXXX with object id XXXXX does not have authorization to perform action 'Microsoft.Resources/deployments/write' over scope

My service principle has reader role on the resource group. I'm trying to deploy the release pipeline for adf in Azure DevOps but got the below error:

The client 'XXXXXXXXXXX' with object id 'XXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/deployments/write' over scope 'XXXXXXXXXXXXXXXXXXXXXXXXXX' or the scope is invalid.If access was recently granted, please refresh your credentials. Please make sure the Service Principal with name NileshEDS-AzureDevOps-Service-Principal is assigned the right roles for the entity NileshEDS. Follow the link for more details: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting. Task failed while creating or updating the template deployment.

My organization is bound to provide minimal access to the service principle. What minimal access(read, write, contributor, owner) should my service principle have to successfully deploy my release pipeline for adf in azure devops?

-Thank You!

I can reproduce the same error with reader role assigned to the service principal.

Checked on my side, to resolve the error, you should grant Data Factory Contributor role on the resource group where your ADF resides as minimum access. The access will be inherited to the target ADF.

Then the deployment to DataFactory will be succeeful.

If you would like to only choose between the roles(read, write, contributor, owner), it's contributor.