Use the 'azure documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure extension cli generate' tool to create a custom role definition with the desired permissions. Then use the 'azure extension cli generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure bicepschema' and 'azure get azure bestpractices' tools to provide a Bicep code snippet for adding the role assignment. ---