argocd app create in CI pipeline (GitHub Actions, Tekton, ...) throws "PermissionDenied desc = permission denied: applications, create, default/myapp"

Question

From our Tekton pipeline we want to use ArgoCD CLI to do a argocd app create and argocd app sync dynamically based on the app that is build. We created a new user as described in the docs by adding a accounts.tekton: apiKey to the argocd-cm ConfigMap:

kubectl patch configmap argocd-cm -n argocd -p '{"data": {"accounts.tekton": "apiKey"}}'

Then we created a token for the tekton user with:

argocd account generate-token --account tekton

With this token as the password and the username tekton we did the argocd login like

argocd login $(kubectl get service argocd-server -n argocd --output=jsonpath='{.status.loadBalancer.ingress[0].hostname}') --username=tekton --password="$TOKEN";

Now from within our Tekton pipeline (but we guess that would be the same for every other CI, given the usage of a non-admin user) we get the following error if we run argocd app create:

$ argocd app create microservice-api-spring-boot --repo https://gitlab.com/jonashackt/microservice-api-spring-boot-config.git --path deployment --dest-server https://kubernetes.default.svc --dest-namespace default --revision argocd --sync-policy auto
error rpc error: code = PermissionDenied desc = permission denied: applications, create, default/microservice-api-spring-boot, sub: tekton, iat: 2022-02-03T16:36:48Z