diff --git a/tools/iam.ts b/tools/iam.ts
new file mode 100644
index 0000000..b7fa75e
--- /dev/null
+++ b/tools/iam.ts
@@ -0,0 +1,20 @@
+import { authorization } from '@pulumi/azure-native'
+
+import identity from '../shared/identity'
+
+type Options = {
+  identity: Awaited<ReturnType<typeof identity>>,
+}
+
+const iamModule = async ( {
+  identity,
+}: Options ) => {
+  new authorization.RoleAssignment( 'azure-sp-role-assignment', {
+    principalId: identity.servicePrincipal.id,
+    principalType: authorization.PrincipalType.ServicePrincipal,
+    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7',
+    scope: identity.resourceGroup.id,
+  } )
+}
+
+export default iamModule
diff --git a/tools/index.ts b/tools/index.ts
index d8bbe32..cbdd0d6 100644
--- a/tools/index.ts
+++ b/tools/index.ts
@@ -2,12 +2,14 @@ import azureModule from '../shared/azure'
 import identityModule from '../shared/identity'
 import azureSecretsModule from './azure-secrets'
 import codeSigningSecretsModule from './code-signing-secrets'
+import iamModule from './iam'
 import keyVaultModule from './key-vault'
 
 const stack = async () => {
   const azure = await azureModule()
 
   const identity = await identityModule()
+  await iamModule( { identity } )
 
   const keyVault = await keyVaultModule( { azure, identity } )