What is the proper approach to providing to an Azure Function granular, least-privilege access to specific Azure resources in Serverless? For AWS, this is implemented using the iamRoleStatements block in serverless.yml, which provides Lambda functions in the service/stack access to specific operations/actions on specific resources by ARN (for example, writing to an S3 bucket or DynamoDB table).
Azure has the concept of a “Service Principle”, which seems to provide general ability to create resources and deploy them. But there is also the more granular concept of Role-Based Access Control and the more recent capability provided by Managed Service Identities (MSI). The following article explains how MSIs can be implemented generally using the Azure Portal, but is this something that can be done via Serverless?
Is this even the right approach?