Docs Home
We recommend using Azure Native.
Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi
azure.authorization.Assignment
Explore with Pulumi AI
Assigns a given Principal (User or Group) to a given Role.
Example Usage
Using A Built-In Role)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = azure.core.getClientConfig({});
const exampleAssignment = new azure.authorization.Assignment("example", {
scope: primary.then(primary => primary.id),
roleDefinitionName: "Reader",
principalId: example.then(example => example.objectId),
});
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.core.get_client_config()
example_assignment = azure.authorization.Assignment("example",
scope=primary.id,
role_definition_name="Reader",
principal_id=example.object_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
Scope: pulumi.String(primary.Id),
RoleDefinitionName: pulumi.String("Reader"),
PrincipalId: pulumi.String(example.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = Azure.Core.GetClientConfig.Invoke();
var exampleAssignment = new Azure.Authorization.Assignment("example", new()
{
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionName = "Reader",
PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var example = CoreFunctions.getClientConfig();
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionName("Reader")
.principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
resources:
exampleAssignment:
type: azure:authorization:Assignment
name: example
properties:
scope: ${primary.id}
roleDefinitionName: Reader
principalId: ${example.objectId}
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
example:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
Custom Role & Service Principal)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
name: "my-custom-role-definition",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("example", {
name: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: example.then(example => example.objectId),
});
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("example",
role_definition_id="00000000-0000-0000-0000-000000000000",
name="my-custom-role-definition",
scope=primary.id,
permissions=[{
"actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
"not_actions": [],
}],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("example",
name="00000000-0000-0000-0000-000000000000",
scope=primary.id,
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example.object_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Name: pulumi.String("my-custom-role-definition"),
Scope: pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: pulumi.String(primary.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: pulumi.String(example.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = Azure.Core.GetClientConfig.Invoke();
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Name = "my-custom-role-definition",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("example", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var example = CoreFunctions.getClientConfig();
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.name("my-custom-role-definition")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
name: example
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
name: my-custom-role-definition
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
name: example
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${example.objectId}
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
example:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
Custom Role & User)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
name: "my-custom-role-definition",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("example", {
name: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: example.then(example => example.objectId),
});
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("example",
role_definition_id="00000000-0000-0000-0000-000000000000",
name="my-custom-role-definition",
scope=primary.id,
permissions=[{
"actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
"not_actions": [],
}],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("example",
name="00000000-0000-0000-0000-000000000000",
scope=primary.id,
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example.object_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Name: pulumi.String("my-custom-role-definition"),
Scope: pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: pulumi.String(primary.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: pulumi.String(example.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = Azure.Core.GetClientConfig.Invoke();
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Name = "my-custom-role-definition",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("example", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var example = CoreFunctions.getClientConfig();
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.name("my-custom-role-definition")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
name: example
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
name: my-custom-role-definition
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
name: example
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${example.objectId}
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
example:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
Custom Role & Management Group)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const example = azure.core.getClientConfig({});
const exampleGetGroup = azure.management.getGroup({
name: "00000000-0000-0000-0000-000000000000",
});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
name: "my-custom-role-definition",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("example", {
name: "00000000-0000-0000-0000-000000000000",
scope: primaryAzurermManagementGroup.id,
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: example.then(example => example.objectId),
});
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example = azure.core.get_client_config()
example_get_group = azure.management.get_group(name="00000000-0000-0000-0000-000000000000")
example_role_definition = azure.authorization.RoleDefinition("example",
role_definition_id="00000000-0000-0000-0000-000000000000",
name="my-custom-role-definition",
scope=primary.id,
permissions=[{
"actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
"not_actions": [],
}],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("example",
name="00000000-0000-0000-0000-000000000000",
scope=primary_azurerm_management_group["id"],
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example.object_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = management.LookupGroup(ctx, &management.LookupGroupArgs{
Name: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
}, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Name: pulumi.String("my-custom-role-definition"),
Scope: pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: pulumi.Any(primaryAzurermManagementGroup.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: pulumi.String(example.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = Azure.Core.GetClientConfig.Invoke();
var exampleGetGroup = Azure.Management.GetGroup.Invoke(new()
{
Name = "00000000-0000-0000-0000-000000000000",
});
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Name = "my-custom-role-definition",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("example", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = primaryAzurermManagementGroup.Id,
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.management.ManagementFunctions;
import com.pulumi.azure.management.inputs.GetGroupArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var example = CoreFunctions.getClientConfig();
final var exampleGetGroup = ManagementFunctions.getGroup(GetGroupArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.build());
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.name("my-custom-role-definition")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(primaryAzurermManagementGroup.id())
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
name: example
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
name: my-custom-role-definition
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
name: example
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${primaryAzurermManagementGroup.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${example.objectId}
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
example:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
exampleGetGroup:
fn::invoke:
function: azure:management:getGroup
arguments:
name: 00000000-0000-0000-0000-000000000000
ABAC Condition)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as std from "@pulumi/std";
const primary = azure.core.getSubscription({});
const example = azure.core.getClientConfig({});
const builtin = azure.authorization.getRoleDefinition({
name: "Reader",
});
const exampleAssignment = new azure.authorization.Assignment("example", {
roleDefinitionName: "Role Based Access Control Administrator",
scope: primary.then(primary => primary.id),
principalId: example.then(example => example.objectId),
principalType: "ServicePrincipal",
description: "Role Based Access Control Administrator role assignment with ABAC Condition.",
conditionVersion: "2.0",
condition: Promise.all([builtin.then(builtin => std.basename({
input: builtin.roleDefinitionId,
})), builtin.then(builtin => std.basename({
input: builtin.roleDefinitionId,
}))]).then(([invoke, invoke1]) => `(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${invoke.result}}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${invoke1.result}}
)
)
`),
});
import pulumi
import pulumi_azure as azure
import pulumi_std as std
primary = azure.core.get_subscription()
example = azure.core.get_client_config()
builtin = azure.authorization.get_role_definition(name="Reader")
example_assignment = azure.authorization.Assignment("example",
role_definition_name="Role Based Access Control Administrator",
scope=primary.id,
principal_id=example.object_id,
principal_type="ServicePrincipal",
description="Role Based Access Control Administrator role assignment with ABAC Condition.",
condition_version="2.0",
condition=f"""(
(
!(ActionMatches{{'Microsoft.Authorization/roleAssignments/write'}})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {{{std.basename(input=builtin.role_definition_id).result}}}
)
)
AND
(
(
!(ActionMatches{{'Microsoft.Authorization/roleAssignments/delete'}})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {{{std.basename(input=builtin.role_definition_id).result}}}
)
)
""")
package main
import (
"fmt"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
example, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
builtin, err := authorization.LookupRoleDefinition(ctx, &authorization.LookupRoleDefinitionArgs{
Name: pulumi.StringRef("Reader"),
}, nil)
if err != nil {
return err
}
invokeBasename, err := std.Basename(ctx, &std.BasenameArgs{
Input: builtin.RoleDefinitionId,
}, nil)
if err != nil {
return err
}
invokeBasename1, err := std.Basename(ctx, &std.BasenameArgs{
Input: builtin.RoleDefinitionId,
}, nil)
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
RoleDefinitionName: pulumi.String("Role Based Access Control Administrator"),
Scope: pulumi.String(primary.Id),
PrincipalId: pulumi.String(example.ObjectId),
PrincipalType: pulumi.String("ServicePrincipal"),
Description: pulumi.String("Role Based Access Control Administrator role assignment with ABAC Condition."),
ConditionVersion: pulumi.String("2.0"),
Condition: pulumi.Sprintf(`(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {%v}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {%v}
)
)
`, invokeBasename.Result, invokeBasename1.Result),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var example = Azure.Core.GetClientConfig.Invoke();
var builtin = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Reader",
});
var exampleAssignment = new Azure.Authorization.Assignment("example", new()
{
RoleDefinitionName = "Role Based Access Control Administrator",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
PrincipalType = "ServicePrincipal",
Description = "Role Based Access Control Administrator role assignment with ABAC Condition.",
ConditionVersion = "2.0",
Condition = Output.Tuple(Std.Basename.Invoke(new()
{
Input = builtin.Apply(getRoleDefinitionResult => getRoleDefinitionResult.RoleDefinitionId),
}), Std.Basename.Invoke(new()
{
Input = builtin.Apply(getRoleDefinitionResult => getRoleDefinitionResult.RoleDefinitionId),
})).Apply(values =>
{
var invoke = values.Item1;
var invoke1 = values.Item2;
return @$"(
(
!(ActionMatches{{'Microsoft.Authorization/roleAssignments/write'}})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {{{invoke.Result}}}
)
)
AND
(
(
!(ActionMatches{{'Microsoft.Authorization/roleAssignments/delete'}})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {{{invoke1.Result}}}
)
)
";
}),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var example = CoreFunctions.getClientConfig();
final var builtin = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Reader")
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.roleDefinitionName("Role Based Access Control Administrator")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.principalType("ServicePrincipal")
.description("Role Based Access Control Administrator role assignment with ABAC Condition.")
.conditionVersion("2.0")
.condition("""
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {%s}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {%s}
)
)
", StdFunctions.basename(BasenameArgs.builder()
.input(builtin.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.roleDefinitionId()))
.build()).result(),StdFunctions.basename(BasenameArgs.builder()
.input(builtin.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.roleDefinitionId()))
.build()).result()))
.build());
}
}
resources:
exampleAssignment:
type: azure:authorization:Assignment
name: example
properties:
roleDefinitionName: Role Based Access Control Administrator
scope: ${primary.id}
principalId: ${example.objectId}
principalType: ServicePrincipal
description: Role Based Access Control Administrator role assignment with ABAC Condition.
conditionVersion: '2.0'
condition:
fn::join:
- ""
- - |-
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
)
OR
(
@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
- fn::invoke:
function: std:basename
arguments:
input: ${builtin.roleDefinitionId}
return: result
- |-
}
)
)
AND
(
(
!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
)
OR
(
@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
- fn::invoke:
function: std:basename
arguments:
input: ${builtin.roleDefinitionId}
return: result
- |
}
)
)
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
example:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
builtin:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Reader
Create Assignment Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Assignment(name: string, args: AssignmentArgs, opts?: CustomResourceOptions);@overload
def Assignment(resource_name: str,
args: AssignmentArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Assignment(resource_name: str,
opts: Optional[ResourceOptions] = None,
principal_id: Optional[str] = None,
scope: Optional[str] = None,
condition: Optional[str] = None,
condition_version: Optional[str] = None,
delegated_managed_identity_resource_id: Optional[str] = None,
description: Optional[str] = None,
name: Optional[str] = None,
principal_type: Optional[str] = None,
role_definition_id: Optional[str] = None,
role_definition_name: Optional[str] = None,
skip_service_principal_aad_check: Optional[bool] = None)func NewAssignment(ctx *Context, name string, args AssignmentArgs, opts ...ResourceOption) (*Assignment, error)public Assignment(string name, AssignmentArgs args, CustomResourceOptions? opts = null)public Assignment(String name, AssignmentArgs args)
public Assignment(String name, AssignmentArgs args, CustomResourceOptions options)
type: azure:authorization:Assignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. AssignmentArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. AssignmentArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. AssignmentArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. AssignmentArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. AssignmentArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var assignmentResource = new Azure.Authorization.Assignment("assignmentResource", new()
{
PrincipalId = "string",
Scope = "string",
Condition = "string",
ConditionVersion = "string",
DelegatedManagedIdentityResourceId = "string",
Description = "string",
Name = "string",
PrincipalType = "string",
RoleDefinitionId = "string",
RoleDefinitionName = "string",
SkipServicePrincipalAadCheck = false,
});
example, err := authorization.NewAssignment(ctx, "assignmentResource", &authorization.AssignmentArgs{
PrincipalId: pulumi.String("string"),
Scope: pulumi.String("string"),
Condition: pulumi.String("string"),
ConditionVersion: pulumi.String("string"),
DelegatedManagedIdentityResourceId: pulumi.String("string"),
Description: pulumi.String("string"),
Name: pulumi.String("string"),
PrincipalType: pulumi.String("string"),
RoleDefinitionId: pulumi.String("string"),
RoleDefinitionName: pulumi.String("string"),
SkipServicePrincipalAadCheck: pulumi.Bool(false),
})
var assignmentResource = new Assignment("assignmentResource", AssignmentArgs.builder()
.principalId("string")
.scope("string")
.condition("string")
.conditionVersion("string")
.delegatedManagedIdentityResourceId("string")
.description("string")
.name("string")
.principalType("string")
.roleDefinitionId("string")
.roleDefinitionName("string")
.skipServicePrincipalAadCheck(false)
.build());
assignment_resource = azure.authorization.Assignment("assignmentResource",
principal_id="string",
scope="string",
condition="string",
condition_version="string",
delegated_managed_identity_resource_id="string",
description="string",
name="string",
principal_type="string",
role_definition_id="string",
role_definition_name="string",
skip_service_principal_aad_check=False)
const assignmentResource = new azure.authorization.Assignment("assignmentResource", {
principalId: "string",
scope: "string",
condition: "string",
conditionVersion: "string",
delegatedManagedIdentityResourceId: "string",
description: "string",
name: "string",
principalType: "string",
roleDefinitionId: "string",
roleDefinitionName: "string",
skipServicePrincipalAadCheck: false,
});
type: azure:authorization:Assignment
properties:
condition: string
conditionVersion: string
delegatedManagedIdentityResourceId: string
description: string
name: string
principalId: string
principalType: string
roleDefinitionId: string
roleDefinitionName: string
scope: string
skipServicePrincipalAadCheck: false
Assignment Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Assignment resource accepts the following input properties:
- Principal
Id stringThis property is required. 
Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Scope
string
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - Condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - Delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- Name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- Role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - Role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - Skip
Service boolPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- Principal
Id stringThis property is required. Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Scope
string
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - Condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - Delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- Name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- Role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - Role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - Skip
Service boolPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- principal
Id StringThis property is required. Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope
String
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - skip
Service BooleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- principal
Id stringThis property is required. Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope
string
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - skip
Service booleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- principal_
id strThis property is required. Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope
str
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition_
version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated_
managed_ identity_ resource_ id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal_
type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role_
definition_ id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role_
definition_ name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - skip_
service_ boolprincipal_ aad_ check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- principal
Id StringThis property is required. Changes to this property will trigger replacement. The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope
String
This property is required. Changes to this property will trigger replacement. - The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - skip
Service BooleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
Outputs
All input properties are implicitly available as output properties. Additionally, the Assignment resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Assignment Resource
Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AssignmentState, opts?: CustomResourceOptions): Assignment@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
condition: Optional[str] = None,
condition_version: Optional[str] = None,
delegated_managed_identity_resource_id: Optional[str] = None,
description: Optional[str] = None,
name: Optional[str] = None,
principal_id: Optional[str] = None,
principal_type: Optional[str] = None,
role_definition_id: Optional[str] = None,
role_definition_name: Optional[str] = None,
scope: Optional[str] = None,
skip_service_principal_aad_check: Optional[bool] = None) -> Assignmentfunc GetAssignment(ctx *Context, name string, id IDInput, state *AssignmentState, opts ...ResourceOption) (*Assignment, error)public static Assignment Get(string name, Input<string> id, AssignmentState? state, CustomResourceOptions? opts = null)public static Assignment get(String name, Output<String> id, AssignmentState state, CustomResourceOptions options)resources: _: type: azure:authorization:Assignment get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - Delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- Name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- Role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - Role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - Scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - Skip
Service boolPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- Condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - Delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- Name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- Role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - Role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - Scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - Skip
Service boolPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - skip
Service BooleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - skip
Service booleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition_
version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated_
managed_ identity_ resource_ id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal_
id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal_
type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role_
definition_ id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role_
definition_ name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - skip_
service_ boolprincipal_ aad_ check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
- condition
- The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version - The version of the condition. Possible values are
1.0or2.0. Changing this forces a new resource to be created. - delegated
Managed Identity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description
- The description for this Role Assignment. Changing this forces a new resource to be created.
- name
- A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type The type of the
principal_id. Possible values areUser,GroupandServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.NOTE: If one of
conditionorcondition_versionis set both fields must be present.- role
Definition Id - The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name. - role
Definition Name - The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id. - scope
- The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or/providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created. - skip
Service BooleanPrincipal Aad Check If the
principal_idis a newly provisionedService Principalset this value totrueto skip theAzure Active Directorycheck which may fail due to replication lag. This argument is only valid if theprincipal_idis aService Principalidentity. Defaults tofalse.NOTE: If it is not a
Service Principalidentity it will cause the role assignment to fail.
Import
Role Assignments can be imported using the resource id, e.g.
$ pulumi import azure:authorization/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
for scope
Subscription, the id format is/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000for scope
Resource Group, the id format is/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000for scope referencing a Key Vault, the id format is
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.KeyVault/vaults/vaultname/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
text
/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.