API's VM Contributor permissions are too wide

[tamirkamara]

Describe the bug

We give Virtual Machine Contributor permission to the API identity and that is too wide. For instance, it gets full access to all storage accounts in the subscription.

A couple of options I see:

• Remove the subscription level permission - not sure we event need it that wide and move to a workspace RG level one. Or even on the resource itself
• Create a custom role that we can use together with the first point.

[marrobi]

@tamirkamara just revisiting this (as looking at #1019), not sure this gives "full access" allows to storage accounts, just for them to be listed?

Agree scope is to wide, suggest we move it to workspace resource group scope?