roles related azcli commands:
=============================

Assign a role to an application id:
-----------------------------------

Assignee has to be fq id, not just short name

$ echo $a002
b3e747a9-[[snip]]

$ az role assignment create --assignee ${a002} --role reader
  [[json snipped]]

List available roles:
---------------------

::

  $ az role definition list --query '[].roleName' --output tsv | sort | head
  API Management Developer Portal Content Editor
  API Management Service Contributor
  API Management Service Operator Role
  API Management Service Reader Role
  Access Review Operator Service Role
  AcrDelete
  AcrImageSigner
  AcrPull
  AcrPush
  AcrQuarantineReader

Get ID for specific role:
-------------------------

::

  $ az role definition list --query '[].{
    Title:roleName, 
    ID:name}' --output table | grep -i 'azure kub'
  Azure Kubernetes Service Cluster Admin Role                 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
  Azure Kubernetes Service Cluster User Role                  4abbcc35-e782-43d8-92c5-2d3f1bd2253f
  Azure Kubernetes Service Contributor Role                   ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
  Azure Kubernetes Service RBAC Cluster Admin                 b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
  Azure Kubernetes Service RBAC Admin                         3498e952-d568-435e-9b2c-8d77e338d7f7
  Azure Kubernetes Service RBAC Reader                        7f6c6a51-bcf8-42ba-9220-52d62157d7db
  Azure Kubernetes Service RBAC Writer                        a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
  Azure Kubernetes Service Policy Add-on Deployment           18ed5180-3e48-46fd-8541-4ea054d57064

Get actions a specific role can do:
-----------------------------------

::

  $ az role definition list -n 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 --query '[].permissions'
  [
    [
      {
        "actions": [
          "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
          "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
          "Microsoft.ContainerService/managedClusters/read",
          "Microsoft.ContainerService/managedClusters/runcommand/action"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ]
  ]

List roles for specific principle:
----------------------------------

::

  $ az role assignment list --assignee ${a002} --query '[].{
    Role:roleDefinitionName}' --output tsv
  Reader
  Azure Kubernetes Service Cluster Admin Role