Reputation: 3260
How can I list all of my permissions derived from roles in Azure?
I am not looking for my roles, but the derived permissions from those roles.
I can actually get them, but in such a messy way that I am really hoping there is a better way that Azure provides. This seems a basic need.
My Ugly Solution
❯ az role assignment list --query "[?principalName=='<my-custom-aad-group>'].roleDefinitionName"
[
"Project Contributor",
"User Access Administrator",
"Subnet Deleter",
"Storage Blob Data Contributor"
]
Then iterate through these roles so that I can get the actual permissions from them. For instance:
❯ az role definition list --query "[?roleName=='Storage Blob Data Contributor']"
[
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/subscriptions/e26acd7c-cb75-4b1c-adf6-07a8eaca6d35/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]
Then I can collect all of these roles in some sort of set intersection process, which is harder than it sounds, since I need to consider how "actions" and "not actions" interact with each other.
My Desired Solution
I just feel like there should be something like:
❯ az aad permissions list --query "[?principalName=='<my-custom-aad-group>'].roleDefinitionName"
where I can provide both of these steps at once:
AAD group ==> collection of roles ==> set of "actions" and "not actions" associated with the collection of roles.
Upvotes: 0
Views: 842
Answers (1)
Reputation: 16498
RBAC role and Directory role are different.
The command you assume similar to az aad permissions list does not exist in Azure CLI. Even if there is, this command should be for Directory Role rather than RBAC Role.
I'm afraid that we have to list the roles first and get the permissions for each role in Azure CLI currently.
Upvotes: 1
Related Questions
- Manually extract and review access roles for Azure VM
- How to view the roles and permissions granted to any database user in Azure SQL server instance?
- Where to see a list of Azure AD roles that a serivice princple have?
- How to list Service principal permissions using powershell
- Listing my Azure permissions from Azure Java SDK
- List permissions for a given role definition
- How to get list of all roles assignments using RBAC API
- Azure - how to find permissions at a subscription level?
- list of users and roles that have permissions to an object (table) in SQL
- Viewing custom role properties on SQL Azure