Add actuator code to satisfy permissions specified in 'Permissions' API field. The implementation should create a new custom role with specified permissions and assign it to the generated user-assigned managed identity along with the predefined roles enumerated in CredReq.RoleBindings. The role we create for the CredentialsRequest should be discoverable so that it can be idempotently updated on re-invocation of ccoctl.

Questions to answer based on lessons learned from custom roles in GCP, assuming that we will create one custom role per identity,

• Does Azure have soft/hard role deletion? ie. are custom roles retained for some period following deletion and if so do deleted roles count towards quota?
• What is the default quota limitation for custom roles in Azure?
• Does it make sense to create a custom role for each identity created based on quota limitations?
  • If it doesn't make sense, how can the roles be condensed to satisfy the quota limitations?