Today I spent way too much time trying to figure why I couldn’t create a virtual machine using a saved image. I should elaborate that I could create it from the web portal but I was getting permissions errors from the Java SDK. It turned out that the "Virtual Machine Contributor" role is not enough to use a captured virtual machine image. This role is missing read permissions for the Azure Compute Gallery which is unfortunate as that is how the web portal directs you to create a base image for machine creation. The Compute Gallery does seem to be "new" compared to the handful of other services that sound equally applicable for managing images. Anyways, I ended up creating a new role which I called "Azure Compute Gallery Reader" which contain all of the read permissions for each category under "Microsoft.Compute/galleries". With that my service account is back to the races at deploying virtual machines!