Azure Roles
Setting up azure roles on subscriptions:
# Log out and clear
az logout
az account clear
# Login as your global/high-privileged account to start creating service principals
az login
# Set base variables so we can create RBAC
export ROLE="owner" # this is overly privileged, so you should choose something more specific for your needs
export SP_NAME="your-service-principal-name"
export SUBSCRIPTION_ID="your-subscription-id"
az ad sp create-for-rbac \
--name $SP_NAME \
--role $ROLE \
--scopes /subscriptions/$SUBSCRIPTION_ID
# Export variables to environment so the programmatic user can be used
export AZURE_SUBSCRIPTION_ID=$SUBSCRIPTION_ID
export AZURE_TENANT_ID='your-tenant-id'
export AZURE_CLIENT_ID='qwerty' # appId from create-for-rbac step
export AZURE_CLIENT_SECRET='qwerty' # password from create-for-rbac step
export SP_ROLE_ID="some-app-id" # appId from create-for-rbac step
export ROLE="owner" # this is overly privileged, so you should choose something more specific for your needs
export SUBSCRIPTION_ID="your-subscription-id"
Create Role Assignment Manually
$sub = ""
$role = "Owner"
az role assignment create --assignee-object-id $SP_ROLE_ID --role $role --scope /subscriptions/$sub
Using script to Get user assignments:
$list = @("sub_name_1","sub_name_2","sub_name_3")
$user_id = "SOMEUSER"
$list | % {
$sub_name = $_
write-host "Setting Subscription for $sub_name..." -ForegroundColor yellow
az account set --subscription $sub_name
write-host "Setting Subscription..." -ForegroundColor yellow
$sub = az account show --query id --output tsv
$id = az ad user show --id $user_id" --query "objectId" --output tsv
# $id = az ad user show --id "cploegj@jci.com" --query "objectId" --output tsv
# $id = az ad user show --id "csheffmi@jci.com" --query "objectId" --output tsv
write-host "sub is: $sub"
write-host "id is $id"
#az role assignment create --assignee-object-id $id --role $role --scope /subscriptions/$sub
}
Get Role Assignemnts
$user_id = "SOME_USER"
$sub = "SOME_SUB"
$role = "Owner"
# Get Role Id:
#==========================================================
az role definition list --name "Owner"
az role definition list --output tsv --query '[].{roleName:roleName}'
az role definition list --query "[].{name:owner, roleType:roleType, roleName:roleName}" --output tsv
az role assignment list --output json --query '[].{principalName:principalName, roleDefinitionName:owner, scope:scope}'
az account list --query '[?contains(name,"$sub")].{name:name, id:id}'
az account list --query "[?name=='$sub'].{Name:name, Id:id}"
az account list --query "[?name=='$sub']" -tsv
az role assignment create --assignee-object-id $SP_ROLE_ID --role $role --scope /subscriptions/$sub
az role definition list --output tsv --query '[].{roleName:roleName}'
Last updated