roles related azcli commands:¶

Assign a role to an application id:¶

Assignee has to be fq id, not just short name

$ echo $a002 b3e747a9-[[snip]]

$ az role assignment create –assignee ${a002} –role reader

[[json snipped]]

List available roles:¶

$ az role definition list --query '[].roleName' --output tsv | sort | head
API Management Developer Portal Content Editor
API Management Service Contributor
API Management Service Operator Role
API Management Service Reader Role
Access Review Operator Service Role
AcrDelete
AcrImageSigner
AcrPull
AcrPush
AcrQuarantineReader

Get ID for specific role:¶

$ az role definition list --query '[].{
  Title:roleName,
  ID:name}' --output table | grep -i 'azure kub'
Azure Kubernetes Service Cluster Admin Role                 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes Service Cluster User Role                  4abbcc35-e782-43d8-92c5-2d3f1bd2253f
Azure Kubernetes Service Contributor Role                   ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
Azure Kubernetes Service RBAC Cluster Admin                 b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
Azure Kubernetes Service RBAC Admin                         3498e952-d568-435e-9b2c-8d77e338d7f7
Azure Kubernetes Service RBAC Reader                        7f6c6a51-bcf8-42ba-9220-52d62157d7db
Azure Kubernetes Service RBAC Writer                        a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
Azure Kubernetes Service Policy Add-on Deployment           18ed5180-3e48-46fd-8541-4ea054d57064

Get actions a specific role can do:¶

$ az role definition list -n 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 --query '[].permissions'
[
  [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "dataActions": [],
      "notActions": [],
      "notDataActions": []
    }
  ]
]

List roles for specific principle:¶

$ az role assignment list --assignee ${a002} --query '[].{
  Role:roleDefinitionName}' --output tsv
Reader
Azure Kubernetes Service Cluster Admin Role

OCI

Navigation

  • Cloud related lessons learned
    • AWS:
    • Azure:
  • (Reasonably) current lessons learned:
  • Legacy/archived lessons learned:

Related Topics

  • Documentation overview
    • Cloud related lessons learned
      • Azure lessons learned:
        • Previous: Resource Group related commands:
        • Next: Sample mysql environment:

Quick search

©2023, dkoleary. | Powered by Sphinx 7.2.6 & Alabaster 0.7.16 | Page source